The sample we’re analyzing is part of the Ave Maria RAT malware family, but judging from it’s simple functions, perhaps it’s simply a loader to download the more complete malware.
The file disguises itself as a PDF file with the icon, but in actuality, it’s a .NET program. We fire up DNSpy and load it in and navigate to the entry point of the program.
In the main function, it calls 3 functions, each of them setting the stage for remote execution of code.
In the function Nail, it does a low level obfuscation by inserting “Xupp” into the actual function being called, which is “GetByteArrayAsync”
What this does it to “Send a GET request to the specified Uri and return the response body as a byte array in an asynchronous operation.”
As of writing, the file to the link no longer exists. It’s important to note that the link does not morph in anyway and is hardcoded. Hence by blocking access to that URL, the loader fails.
The bytes are also obfuscated with Chinese characters which are removed, before the Base64 decoded string is returned.
It can be inferred that the “file” that was upload on the site is not actually a file, but encoded command in an array of bytes.
In the main function, the call to Nail does not use the return value. The return value of Nail is instead used in Axe, as we shall see below.
In Axe, it spawns a hidden powershell with “ProcessWindowStyle.Hidden”, and “CreateNoWindow = true”.
The powershell executes the commands
Which is to simple sleep for 20 seconds in total.
Axe then loads the return string of Nail as Assemblies, which then be used in Hummer.
The function Hummer is where the code execution takes place.
Hummer iterates through all loaded assemblies from Axe and Nail, and only executes the method “Llqatcylovmpltqyvccqoyu” when the type name is “Ebgyiezdt.Gowutkhwellqxu”
If the method fails to run or returns null, the program throws an exception, and if the method was successfully executed, it prints the results onto the Console.
Since this entire executable is non-looping (e.g. does not continuously fetch commands), but itself only does a one time execution when opened, it could be that it’s only a loader which downloads the actual malware.