SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ave_maria (Back to overview)

Ave Maria

aka: AVE_MARIA, AveMariaRAT, Warzone RAT, avemaria

Actor(s): Anunak

Information stealer which uses AutoIT for wrapping.

References
2021-07-21Youtube (OALabs)OALabs
@online{oalabs:20210721:warzone:d391d61, author = {OALabs}, title = {{Warzone RAT Config Extraction With Python and IDA Pro}}, date = {2021-07-21}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=-G82xh9m4hc}, language = {English}, urldate = {2021-07-22} } Warzone RAT Config Extraction With Python and IDA Pro
Ave Maria
2021-07-12IBMMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:1f66418, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {IBM}, url = {https://securityintelligence.com/posts/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-12Cipher Tech SolutionsMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:a3c66bf, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {Cipher Tech Solutions}, url = {https://www.ciphertechsolutions.com/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-01Quick HealAyush Puri
@online{puri:20210701:warzone:becd74e, author = {Ayush Puri}, title = {{WARZONE RAT – Beware Of The Trojan Malware Stealing Data Triggering From Various Office Documents}}, date = {2021-07-01}, organization = {Quick Heal}, url = {https://blogs.quickheal.com/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents/}, language = {English}, urldate = {2021-07-11} } WARZONE RAT – Beware Of The Trojan Malware Stealing Data Triggering From Various Office Documents
Ave Maria
2021-05-19Youtube (OALabs)Sergei Frankoff
@online{frankoff:20210519:reverse:f2f9d20, author = {Sergei Frankoff}, title = {{Reverse Engineering Warzone RAT - Part 1}}, date = {2021-05-19}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=81fdvmGmRvM}, language = {English}, urldate = {2021-05-26} } Reverse Engineering Warzone RAT - Part 1
Ave Maria
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-06Clairvoyance Security LabAdvanced threat research team
@online{team:20210206:mo:c85d4df, author = {Advanced threat research team}, title = {{Mo Luoxiu (Confucius) organizes a new round of secret theft attacks on South Asian military enterprises}}, date = {2021-02-06}, organization = {Clairvoyance Security Lab}, url = {https://mp.weixin.qq.com/s/fsesosMnKIfAi_I9I0wKSA}, language = {Chinese}, urldate = {2021-02-09} } Mo Luoxiu (Confucius) organizes a new round of secret theft attacks on South Asian military enterprises
Ave Maria
2021-01-27Youtube (OALabs)Sergei Frankoff
@online{frankoff:20210127:ida:15a720f, author = {Sergei Frankoff}, title = {{IDA Pro Decompiler Basics Microcode and x86 Calling Conventions}}, date = {2021-01-27}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=T0tdj1WDioM}, language = {English}, urldate = {2021-01-27} } IDA Pro Decompiler Basics Microcode and x86 Calling Conventions
Ave Maria
2021-01-21360 Threat Intelligence CenterAdvanced Threat Institute
@online{institute:20210121:disclosure:7709c9e, author = {Advanced Threat Institute}, title = {{Disclosure of Manling Flower Organization (APT-C-08) using Warzone RAT attack}}, date = {2021-01-21}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/C09P0al1nhsyyujHRp0FAw}, language = {Chinese}, urldate = {2021-01-26} } Disclosure of Manling Flower Organization (APT-C-08) using Warzone RAT attack
Ave Maria
2021-01-12UptycsAbhijit Mohanta, Ashwin Vamshi
@online{mohanta:20210112:confucius:865bcc8, author = {Abhijit Mohanta and Ashwin Vamshi}, title = {{Confucius APT deploys Warzone RAT}}, date = {2021-01-12}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat}, language = {English}, urldate = {2021-01-13} } Confucius APT deploys Warzone RAT
Ave Maria Confucius
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-11-30Medium Asuna AmawakaAsuna Amawaka
@online{amawaka:20201130:do:ff3adb4, author = {Asuna Amawaka}, title = {{Do you want to bake a donut? Come on, let’s go update~ Go away, Maria.}}, date = {2020-11-30}, organization = {Medium Asuna Amawaka}, url = {https://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1}, language = {English}, urldate = {2021-02-18} } Do you want to bake a donut? Come on, let’s go update~ Go away, Maria.
Ave Maria
2020-11-25UptycsShilpesh Trivedi, Abhijit Mohanta
@online{trivedi:20201125:warzone:bb2219a, author = {Shilpesh Trivedi and Abhijit Mohanta}, title = {{Warzone RAT comes with UAC bypass technique}}, date = {2020-11-25}, organization = {Uptycs}, url = {https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique}, language = {English}, urldate = {2020-12-16} } Warzone RAT comes with UAC bypass technique
Ave Maria
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-09-02Cisco TalosHolger Unterbrink, Edmund Brumaghin
@online{unterbrink:20200902:salfram:74ae3c9, author = {Holger Unterbrink and Edmund Brumaghin}, title = {{Salfram: Robbing the place without removing your name tag}}, date = {2020-09-02}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html}, language = {English}, urldate = {2020-09-03} } Salfram: Robbing the place without removing your name tag
Ave Maria ISFB SmokeLoader Zloader
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-05-21MalwarebytesMalwarebytes Labs
@techreport{labs:20200521:cybercrime:d38d2da, author = {Malwarebytes Labs}, title = {{Cybercrime tactics and techniques}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf}, language = {English}, urldate = {2020-06-03} } Cybercrime tactics and techniques
Ave Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC
2020-02-03Check Point ResearchYaroslav Harakhavik
@online{harakhavik:20200203:warzone:18606cf, author = {Yaroslav Harakhavik}, title = {{Warzone: Behind the enemy lines}}, date = {2020-02-03}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/}, language = {English}, urldate = {2020-02-03} } Warzone: Behind the enemy lines
Ave Maria
2019-07-25Team CymruTeam Cymru
@online{cymru:20190725:unmasking:91638f6, author = {Team Cymru}, title = {{Unmasking AVE_MARIA}}, date = {2019-07-25}, organization = {Team Cymru}, url = {https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/}, language = {English}, urldate = {2020-01-08} } Unmasking AVE_MARIA
Ave Maria
2019-05-08Kaspersky LabsKaspersky Labs
@online{labs:20190508:fin7:6874fc6, author = {Kaspersky Labs}, title = {{Fin7 hacking group targets more than 130 companies after leaders’ arrest}}, date = {2019-05-08}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest}, language = {English}, urldate = {2020-03-22} } Fin7 hacking group targets more than 130 companies after leaders’ arrest
Ave Maria ANTHROPOID SPIDER
2019-05-08Kaspersky LabsYury Namestnikov, Félix Aime
@online{namestnikov:20190508:fin75:443b111, author = {Yury Namestnikov and Félix Aime}, title = {{FIN7.5: the infamous cybercrime rig “FIN7” continues its activities}}, date = {2019-05-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/}, language = {English}, urldate = {2019-12-20} } FIN7.5: the infamous cybercrime rig “FIN7” continues its activities
Griffon Ave Maria FIN7
2019-04-11ReaqtaReaqta
@online{reaqta:20190411:avemaria:d6cd904, author = {Reaqta}, title = {{Ave_Maria Malware: there's more than meets the eye}}, date = {2019-04-11}, organization = {Reaqta}, url = {https://reaqta.com/2019/04/ave_maria-malware-part1/}, language = {English}, urldate = {2020-01-07} } Ave_Maria Malware: there's more than meets the eye
Ave Maria
2019-03-01MorphisecAlon Groisman
@online{groisman:20190301:threat:aaf612e, author = {Alon Groisman}, title = {{Threat Alert: AVE Maria infostealer on the rise}}, date = {2019-03-01}, organization = {Morphisec}, url = {http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery}, language = {English}, urldate = {2020-01-09} } Threat Alert: AVE Maria infostealer on the rise
Ave Maria
2019-01-11Cybaze-Yorio Z-LabAntonio Farina, Luca Mella, Antonio Pirozzi
@online{farina:20190111:avemaria:a3fd77c, author = {Antonio Farina and Luca Mella and Antonio Pirozzi}, title = {{The “AVE_MARIA” Malware}}, date = {2019-01-11}, organization = {Cybaze-Yorio Z-Lab}, url = {https://blog.yoroi.company/research/the-ave_maria-malware/}, language = {English}, urldate = {2019-11-26} } The “AVE_MARIA” Malware
Ave Maria
Yara Rules
[TLP:WHITE] win_ave_maria_auto (20210616 | Detects win.ave_maria.)
rule win_ave_maria_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.ave_maria."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89462c 894634 894630 e8???????? 8bce 5e e9???????? }
            // n = 7, score = 400
            //   89462c               | mov                 dword ptr [esi + 0x2c], eax
            //   894634               | mov                 dword ptr [esi + 0x34], eax
            //   894630               | mov                 dword ptr [esi + 0x30], eax
            //   e8????????           |                     
            //   8bce                 | mov                 ecx, esi
            //   5e                   | pop                 esi
            //   e9????????           |                     

        $sequence_1 = { 33db 57 391e 7408 8d4e0c e8???????? 6a02 }
            // n = 7, score = 400
            //   33db                 | xor                 ebx, ebx
            //   57                   | push                edi
            //   391e                 | cmp                 dword ptr [esi], ebx
            //   7408                 | je                  0xa
            //   8d4e0c               | lea                 ecx, dword ptr [esi + 0xc]
            //   e8????????           |                     
            //   6a02                 | push                2

        $sequence_2 = { 8bf1 57 33ff 397e40 740f ff7644 ff15???????? }
            // n = 7, score = 400
            //   8bf1                 | mov                 esi, ecx
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   397e40               | cmp                 dword ptr [esi + 0x40], edi
            //   740f                 | je                  0x11
            //   ff7644               | push                dword ptr [esi + 0x44]
            //   ff15????????         |                     

        $sequence_3 = { ff15???????? 8bf0 81fe04010000 7629 8bcb e8???????? 33c9 }
            // n = 7, score = 400
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   81fe04010000         | cmp                 esi, 0x104
            //   7629                 | jbe                 0x2b
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   33c9                 | xor                 ecx, ecx

        $sequence_4 = { 33c2 894de4 33c6 c1c105 034df0 81c3a1ebd96e 03c8 }
            // n = 7, score = 400
            //   33c2                 | xor                 eax, edx
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   33c6                 | xor                 eax, esi
            //   c1c105               | rol                 ecx, 5
            //   034df0               | add                 ecx, dword ptr [ebp - 0x10]
            //   81c3a1ebd96e         | add                 ebx, 0x6ed9eba1
            //   03c8                 | add                 ecx, eax

        $sequence_5 = { 7408 8d4e14 e8???????? 8d4e14 e8???????? 8b4604 85c0 }
            // n = 7, score = 400
            //   7408                 | je                  0xa
            //   8d4e14               | lea                 ecx, dword ptr [esi + 0x14]
            //   e8????????           |                     
            //   8d4e14               | lea                 ecx, dword ptr [esi + 0x14]
            //   e8????????           |                     
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   85c0                 | test                eax, eax

        $sequence_6 = { c21000 33c0 0f57c0 a3???????? a3???????? a3???????? b8???????? }
            // n = 7, score = 400
            //   c21000               | ret                 0x10
            //   33c0                 | xor                 eax, eax
            //   0f57c0               | xorps               xmm0, xmm0
            //   a3????????           |                     
            //   a3????????           |                     
            //   a3????????           |                     
            //   b8????????           |                     

        $sequence_7 = { 03c7 0345c4 03d8 c1ce02 8b4ddc 8bc3 334dc8 }
            // n = 7, score = 400
            //   03c7                 | add                 eax, edi
            //   0345c4               | add                 eax, dword ptr [ebp - 0x3c]
            //   03d8                 | add                 ebx, eax
            //   c1ce02               | ror                 esi, 2
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   8bc3                 | mov                 eax, ebx
            //   334dc8               | xor                 ecx, dword ptr [ebp - 0x38]

        $sequence_8 = { e9???????? 68???????? ff15???????? 68???????? 50 ff15???????? 85c0 }
            // n = 7, score = 400
            //   e9????????           |                     
            //   68????????           |                     
            //   ff15????????         |                     
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_9 = { 57 8d45f8 50 6819000200 6a00 68???????? }
            // n = 6, score = 400
            //   57                   | push                edi
            //   8d45f8               | lea                 eax, dword ptr [ebp - 8]
            //   50                   | push                eax
            //   6819000200           | push                0x20019
            //   6a00                 | push                0
            //   68????????           |                     

    condition:
        7 of them and filesize < 237568
}
Download all Yara Rules