{
	"id": "24cb1744-b326-4069-85f0-7639d22cf4e9",
	"created_at": "2026-04-06T00:19:16.172414Z",
	"updated_at": "2026-04-10T03:20:30.326056Z",
	"deleted_at": null,
	"sha1_hash": "4959e2ab1c400a9c9ffe3e5e3f010e416954513e",
	"title": "Malware Analysis - Ave_Maria RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1675329,
	"plain_text": "Malware Analysis - Ave_Maria RAT\r\nBy Bar Magnezi\r\nPublished: 2025-05-15 · Archived: 2026-04-05 16:00:09 UTC\r\nSample:\r\n7ebdce51613a9214f61fa3983e9a2d19\r\nBackgroundPermalink\r\nAve Maria, also known as Warzone RAT, is a remote access trojan that allows attackers full control over an\r\ninfected system. It is typically spread through phishing emails with malicious attachments, enabling features like\r\nkeylogging, credential theft, webcam access, and file exfiltration.\r\nStatic AnalysisPermalink\r\nFigure 1: Malware Bazaar Entry\r\nThe sample was first uploaded from Greece and is most likely targeting organizations in that region. The file is\r\nnamed “Ειδοποίηση πληρωμής_79153 22331.JS”, which translates from Greek to “Payment Notice.”\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AveMaria/\r\nPage 1 of 12\n\nFigure 2: First Stage Code\r\nIt is a JavaScript file containing a single line of code with approximately 1.5 million characters—an obfuscation\r\ntechnique designed to hinder analysis and evade detection. I noticed the string\r\n“Lightsddffffffffwonwwwwwwwwwwwwwwwwwwharecovey” repeated throughout the script, likely serving as\r\njunk code for obfuscation. Based on that assumption, I decided to remove it to simplify analysis.\r\nFigure 3: After Removing String\r\nAs shown in the figure above, the assumption proved correct—removing the junk string revealed a Base64-\r\nencoded payload. Decoding the payload in CyberChef revealed PowerShell code, as shown in Figure 4.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AveMaria/\r\nPage 2 of 12\n\nFigure 4: CyberChef Decode\r\nDecoding the payload in CyberChef revealed PowerShell code that performs the following actions:\r\nInitializes URLs with a custom User-Agent\r\nDownloads a fake gif and txt file from a remote server\r\nExtracts hidden Base64 data between specific markers\r\nDecodes and loads a .NET assembly directly into memory\r\nInvokes a method from the loaded assembly using obfuscated parameters\r\nFigure 5: Cleaned Code\r\nThe first URL contained a long reversed Base64 string, while the second URL pointed to a GIF file, as shown in\r\nFigures 6 and 7.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AveMaria/\r\nPage 3 of 12\n\nFigure 6: First URL - Reversed Base64 String\r\nFigure 7: Second URL - GIF\r\nStarting with the first URL, which was reversed, I used CyberChef to reverse and decode its Base64 content, as\r\nshown in Figure 8.\r\nFigure 8: CyberChef to decode the string\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AveMaria/\r\nPage 4 of 12\n\nThe second URL led to a GIF file, and examining it in a hex editor confirmed that the code was using a Base64-\r\nencoded string hidden between tags within the GIF.\r\nFigure 9: HxD Locating The \"sudo_png\" Tag\r\nFollowing that, I wrote a Python script that takes the file, locates the two tags defined in the PowerShell script,\r\nextracts the content between them, decodes it from Base64, and saves the output to a file, as shown in Figure 10.\r\nFigure 10: Extracts File From The GIF\r\nSecond StagePermalink\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AveMaria/\r\nPage 5 of 12\n\nIn the second stage, the focus shifts to the DLL and EXE files extracted from the GIF and TXT (DLL and EXE)\r\npayloads from the earlier stages.\r\nFigure 11: Capabilities Of The DLL\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AveMaria/\r\nPage 6 of 12\n\nFigure 12: Capabilities Of The EXE\r\nAs expected from this RAT, it includes several keylogging techniques, has the capability to extract stored\r\npasswords, and also implement process injection methods.\r\nAnalyzing the sample in a debugger revealed how it carries out these actions. In Figure 13, we can see it executing\r\nSQL queries to retrieve login credentials from various web browsers.\r\nFigure 13: SQL Queries\r\nIn Figure 14, we can see that it also attempts to extract usernames and passwords from Thunderbird (which is\r\nrelatively uncommon among common RATs). Following that, it targets various SMTP and email-related services\r\nfor credential harvesting, including Outlook.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AveMaria/\r\nPage 7 of 12\n\nFigure 14: Extracts Credentials From Email Related Services\r\nAs shown in Figure 15, it uses the ping command as a delay execution mechanism.\r\nFigure 15: Delay Execution\r\nIn addition, while debugging, another C2 server used by the attacker was observed, as shown in Figure 16.\r\nFigure 16: Connection With C2 Address\r\nFurther analysis of the PowerShell line that calls the VAI method from the DLL ($Laverna =\r\n[dnlib.IO.Home].GetMethod(‘VAI’).Invoke(…)) makes it clear that changing the parameters alters the behavior of\r\nthe RAT.\r\nHere are few examples\r\nDisplays MSG Box\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AveMaria/\r\nPage 8 of 12\n\nFigure 17: MSG Box\r\nSaves Copy to the Public folder\r\nFigure 18: Copy To Public\r\nCreates a Scheduled Task with varying timestamps (depending on the parameters)\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AveMaria/\r\nPage 9 of 12\n\nFigure 19: Schedule Task Creation\r\nOne of the arguments, when set to “1” for example, causes the PowerShell window to display logs\r\ncontaining detailed system information, along with checks to determine whether the malware is running in\r\na real environment or is being analyzed and monitored.\r\nFigure 20: System Information\r\nFigure 21: VM Detection\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AveMaria/\r\nPage 10 of 12\n\nFurther analysis of the strings also revealed that the malware establishes persistence by adding entries to the\r\nregistry to run on user login as shown in Figure 22.\r\nFigure 22: VM Detection\r\nIn addition, it is also excluded from Windows Defender, as shown in Figure 23.\r\nFigure 23: Exclude From Defender\r\nUsing icacls, it attempts to grant full control permissions to Everyone for the specified target folder and all its\r\ncontents (files and subfolders), replacing any existing permissions.\r\nFigure 24: Icalcs Command\r\nVitali Kremez was a prominent cybersecurity researcher and intelligence analyst known for his deep expertise in\r\nmalware reverse engineering and cybercrime investigations. He played a key role in analyzing and exposing major\r\ncyber threats, including ransomware groups and underground forums. Tragically, he passed away in 2022, leaving\r\na lasting impact on the cybersecurity community.\r\nMoreover, his name often appears in various malware families as a form of cybercrime “tribute” by criminal\r\nactors who follow and acknowledge his research closely. In this case, we see his name embedded in a file path:\r\nC:\\Users\\ Vitali Kremez \\Documents\\MidgetP**n\\workspace\\MsgBox.exe\r\nWhile it’s difficult to determine intent with certainty, the context here leans more toward mockery than tribute.\r\nThe inclusion of an inappropriate or provocative folder name alongside his real name suggests an attempt to\r\nridicule or defame, rather than respectfully acknowledge his legacy.\r\nIOCsPermalink\r\nHash:\r\n7ebdce51613a9214f61fa3983e9a2d19\r\nc4df7a30cd17a7e71e581e887a69de64\r\n1b35b016afd3f509d2fc128ab5bd653b\r\n324ca3bcae43fe7db3c43a1e24d4e514\r\n8c66d9087118b17ccaa62eb83f3542c1\r\nURL\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AveMaria/\r\nPage 11 of 12\n\nhxxps://onfiltre[.]com[.]tr\r\nhxxps://channelchief[.]varindia[.]com\r\nIP\r\nSource: https://0xmrmagnezi.github.io/malware%20analysis/AveMaria/\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AveMaria/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://0xmrmagnezi.github.io/malware%20analysis/AveMaria/"
	],
	"report_names": [
		"AveMaria"
	],
	"threat_actors": [],
	"ts_created_at": 1775434756,
	"ts_updated_at": 1775791230,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4959e2ab1c400a9c9ffe3e5e3f010e416954513e.pdf",
		"text": "https://archive.orkl.eu/4959e2ab1c400a9c9ffe3e5e3f010e416954513e.txt",
		"img": "https://archive.orkl.eu/4959e2ab1c400a9c9ffe3e5e3f010e416954513e.jpg"
	}
}