Ave Maria

24
Global rank
20
Month rank
16
Week rank
5480
IOCs

Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.

Stealer
Type
Unknown
Origin
4 December, 2018
First seen
3 June, 2023
Last seen
Also known as
AVE_MARIA
Warzone RAT

How to analyze Ave Maria with ANY.RUN

Stealer
Type
Unknown
Origin
4 December, 2018
First seen
3 June, 2023
Last seen

IOCs

IP addresses
3.142.167.4
213.152.161.211
91.193.75.178
18.192.31.165
141.98.102.235
152.89.160.131
18.158.249.75
3.125.223.134
3.124.142.205
212.193.30.230
38.117.65.122
185.222.57.73
3.14.182.203
45.88.67.63
3.13.191.225
3.125.209.94
45.88.67.9
85.217.144.17
134.19.179.179
213.152.162.79
Hashes
ef5b814562290c60063075b290966060a79e0cc9e81cd6448d49af5c5879175f
0f6d6875d6ca1793369166534b041daec3f946d83df7c788ad913999ffd81eeb
2a8b6d3293f3094c8988befb6081d9f8d193e216a82cc65abc1caaf520f3acc1
6305f4ceffad6375145ef25069d6765ba216db16f2d77e1baec8692dc74ba712
167d71a6a442391712d666ed3b072bf45e6208333d460c0a34d059321d06ef9f
2fb55700d343afcad180486bedddb4ce8a632d11cbbde696d8db7a165543ae90
8c9295644225155f6137dd31973a570434ec6490cada3598425f224a863849ad
7d039c38a9e2a7d4f55bdc19a986569ec95486fea3a8085f5120ac0c1393bc7f
bd709aae771a9302a7b68c87f753386c08152cb912dc2ae6af968cc280ca9469
0b609c44a994187058bc65faa0a48845e65eb118fe80e879ebb5c40209fd5a41
3fa4912eb43fc304652d7b01f118589259861e2d628fa7c86193e54d5f987670
0208510ced0b351154d7e46e31814171fadc07ec304fa9fb1c0ab2b4a88a3407
2f9ec3d178213d5f97668cc78eca26bdad67afd933ad441db0718fa629a6bbfe
775d65587d7e4ba50ec7e8b0519967d92ac50fd15586378a338cc24e3d90d18e
44cb8052bd5df93d25f6d62b1ff50ed1289fbed59aafcc51579df9f547caaf47
ddfbb56d086edd4488b4ff7eaeecec812b0c713d5654084a67a39a037307c721
81d0a8bc64c38faae2f075becf4ddb2f41d8c3539d25ba2e9cbefc48e945d76c
d3cba7f48e4d6cde692e11b6e4658c116426c760e040bccfd51cf76fa4e0d0c3
082847cc5e5e42d6b4ede58d9022dc37a7e8ed4bfaf84367856ac458ec9da481
dc3a26aaeeb4317f0e6ff3913a6ef5efc37638fcca4b4cc0ee522b1093b73a4e
Domains
njxyro.ddns.net
192-168-100-240.otmn.direct.quickconnect.to
192-168-100-240.otmn.direct.quickconnect.to
joemclean.duckdns.org
microsoftfixer.duckdns.org
fevertoxs.duckdns.org
adenere.duckdns.org
fevertox.duckdns.org
frederikkempe.com
majul.com
device-local-3193b8ff-0889-41c5-8fd6-67066f88b277.remotewd.com
qxq.ddns.net
vcctggqm3t.dattolocal.net
pics-starts.at.ply.gg
white-camcorders.at.ply.gg
methods-workout.at.ply.gg
or-minerals.at.ply.gg
william-begins.at.ply.gg
animal-visits.at.ply.gg
whole-boating.at.ply.gg
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 306
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5381
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3235
comments 3

What is Ave Maria malware?

Ave Maria is a remote access Trojan, infostealer, and keylogger. It is malware that attackers can use to gain remote control of machines that it infects. When researchers first discovered this Trojan, it was thought to be rather simplistic. However, later samples surprise with advanced functions.

The malware is available in the form of a one or three months subscription and can be freely purchased from the attackers, which is typical for this type of virus. Users can also purchase a dynamic DNS server from the same distributor to complete the package.

General description of Ave Maria malware

Ave Maria is a modular RAT with an advanced design. When it was first discovered, researchers believed that the malware is fairly simple and won't follow Ryuk ransomware's story. After the later analysis, it was revealed that this virus has advanced functions under its hood, such as privilege escalation and remote camera control.

According to the analysis, Ave Maria Trojan is capable of stealing a wide range of data from infected machines. Even such well-protected information such as credentials stored in Mozilla Firefox is not safe despite the utilized PK11 encryption.

However, some parts of the malware appear to be unfinished. And it looks like the authors are still working on expanding its functionality even further. Considering how effective this RAT already is, this idea is nothing but worrying.

Ave Maria Trojan uses a DLL hijacking exploit that, at this point, doesn’t have a foreseeable fix. It allows the malware to escalate privileges of a Windows process and enable a malicious process to gain administrative control of an infected machine. Unfortunately, the malware is also capable of avoiding detection on many target machines.

Once the malware achieves this initial target, it downloads additional plugins and even other viruses like Lokibot to the machine.

Interactive analysis of Ave Maria malware

A video recorded in the ANY.RUN malware hunting service displays the execution process of Ave Maria. Users can utilize this information to perform a deep analysis of how this malware functions under the hood.

ave maria execution process graph

Figure 1: Shows the graph of processes generated by the ANY.RUN malware hunting service.

text report of the ave maria analysis

Figure 2: ANY.RUN allows creating customizable text reports that contain detailed and nicely structured information. This function is perfect for making presentations.

Ave Maria malware execution process

Based on the analysis, the Ave Maria RAT execution process can vary a little differently from one version to another. Since the main vector of this malware’s distribution is malicious spam email campaigns, it usually exploits CVE-2017-11882 (Microsoft Equation Editor) vulnerability but can infect a system in several other ways.

In the analyzed sample, Maldoc gets downloaded and executed through macro. Then, the malware copies and runs itself from the %temp% directory. Ave Maria Trojan changes the autorun value in the registry and creates a scheduled task to establish persistence. The malware uses pkgmgr.exe to load a malicious DLL (dismcore.dll) that starts a malware instance with higher privileges for privilege escalation. Also, the virus often injects into the explorer.exe process.

After all these steps, Ave Maria RAT starts its malicious activity such as keylogger function and saves all keystrokes and other user activity into a file, establishes a connection with the C2 server, steals more data from the system, and so on.

Distribution of Ave Maria malware

Like Revenge, Glupteba and many other RATs and ransomware, Ave Maria is distributed in email spam campaigns that deliver a malicious attachment. However, attackers often use phishing techniques to tailor the emails to suit each targeted segment of potential victims more closely than in typical email spam.

The danger of the Ave Maria RAT distribution method, along with tailored campaigns, lies in the lack of macros use or the need for user interaction after a malicious document is downloaded by the victim. The infection often begins due to the use of a Microsoft Equation Editor exploit utilized by an embedded object contained in the downloaded document.

How to detect Ave Maria malware using ANY.RUN?

Unlike ransomware, Ave Maria malware performs information stealing offline which causes it to save data locally on an infected system. To get the analysis of what information was stolen by Ave Maria RAT, take a look inside files that it creates using "Static Discovering." These files often have names in the dd-mm-yy_hh.mm.ss format. To open a file, click on a file’s name and start the analysis.

information stolen by ave maria Figure 3: Information is stolen by Ave Maria

Summary

Ave Maria malware should be considered a serious cybersecurity threat as RATs or ransomware. It utilizes a vulnerability that may remain unfixed for the foreseeable future.

Additionally, the joint effect from highly targeted phishing emails and lack of need for the user interaction to begin execution make the chance of contamination with this malware larger than average. We should also add that the latest samples of the malware showed a lot of advancements compared to the first reportings. It is safe to assume that Ave Maria will be upgraded down the line.

This threat is fairly new, and right now, there is limited information about Ave Maria RAT. All the more reason to utilize advanced functions provided by the ANY.RUN malware hunting service for analysis and dissect the available samples. Unfortunately, we must admit that it is likely that we will hear about this malware again, and the more prepared we are then, the better.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy