MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7065de23872ea88872ebf6d50dbd886cbc441c75b72fbac5f1fa632bd46006c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AveMariaRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7065de23872ea88872ebf6d50dbd886cbc441c75b72fbac5f1fa632bd46006c2
SHA3-384 hash: 3c6e91534c7d9310922ec60eaa64bf6a4868e547523bd9cacd057abc0371f967a03ca84a3ffb9da0e2aaa22e3b62c9f5
SHA1 hash: 7c874b0d8f65d767c3a9d57ec0130e8a2ad872cb
MD5 hash: 8ad95839e38a55c88808e599f1099811
humanhash: idaho-video-lamp-diet
File name:GLS Italy - Notifica spedizione V2 3564.JS
Download: download sample
Signature AveMariaRAT
Create hunting rule
File size:2'138'501 bytes
First seen:2025-05-23 14:48:08 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6144:YED4Ze6HbH4ZrRFbXqd5TJ72WYMBCedIK:YWO55TJ72WYMBCedIK
Threatray 1'163 similar samples on MalwareBazaar
TLSH T198A533482F552EDF0F678DEC63352EC0E83516CA9407782D4AA057F4D8DEC65EAB12E8
Magika javascript
Reporter abuse_ch
Tags:AveMariaRAT js

Intelligence

File Origin
# of uploads :
1
# of downloads :
470
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PUA.JS.Obfus-2179.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.JS.Obfus-2525.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68308c284912a6b9dd4c73db
Tags:
obfuscate xtreme shell
Verdict:
Suspicious
Labled as:
SVM:TrojanDownloader/JS.Nemucod
Link:
https://www.hybrid-analysis.com/sample/7065de23872ea88872ebf6d50dbd886cbc441c75b72fbac5f1fa632bd46006c2
Result
Threat name:
AveMaria, PrivateLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1698132
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses threadpools to delay analysis
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AveMaria stealer
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected PrivateLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1698132 Sample: GLS Italy - Notifica spediz... Startdate: 23/05/2025 Architecture: WINDOWS Score: 100 35 channelchief.varindia.com 2->35 37 webmail.aruba.it 2->37 39 2 other IPs or domains 2->39 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 13 other signatures 2->55 8 wscript.exe 1 1 2->8         started        11 svchost.exe 1 1 2->11         started        signatures3 process4 dnsIp5 73 JScript performs obfuscated calls to suspicious functions 8->73 75 Suspicious powershell command line found 8->75 77 Wscript starts Powershell (via cmd or directly) 8->77 79 2 other signatures 8->79 14 powershell.exe 14 15 8->14         started        43 127.0.0.1 unknown unknown 11->43 signatures6 process7 dnsIp8 45 channelchief.varindia.com 103.249.97.230, 443, 49687 HOSTCOIN-AS-IN-APESDSSoftwareSolutionPvtLtdIN India 14->45 47 webmail.aruba.it 62.149.158.90, 443, 49686 ARUBA-ASNIT Italy 14->47 81 Contains functionality to hide user accounts 14->81 83 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->83 85 Writes to foreign memory regions 14->85 87 Injects a PE file into a foreign processes 14->87 18 MSBuild.exe 3 12 14->18         started        23 MSBuild.exe 14->23         started        25 conhost.exe 14->25         started        signatures9 process10 dnsIp11 41 196.251.118.106, 4422, 49692 xneeloZA Seychelles 18->41 27 C:\Users\user\AppData\...\vcruntime140.dll, PE32 18->27 dropped 29 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 18->29 dropped 31 C:\Users\user\AppData\Local\Temp\nss3.dll, PE32 18->31 dropped 33 3 other files (none is malicious) 18->33 dropped 57 Contains functionality to hide user accounts 18->57 59 Tries to steal Mail credentials (via file / registry access) 18->59 61 Tries to harvest and steal browser information (history, passwords, etc) 18->61 71 2 other signatures 18->71 63 Contains functionality to inject threads in other processes 23->63 65 Contains functionality to steal Chrome passwords or cookies 23->65 67 Contains functionality to steal e-mail passwords 23->67 69 Uses threadpools to delay analysis 23->69 file12 signatures13
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7065de23872ea88872ebf6d50dbd886cbc441c75b72fbac5f1fa632bd46006c2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7065de23872ea88872ebf6d50dbd886cbc441c75b72fbac5f1fa632bd46006c2/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-23 13:23:56 UTC
File Type:
Text (JavaScript)
AV detection:
7 of 36 (19.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=obs54i4hf2uiq4xl63kq3pmins6eihdvw4x3vrpr7jrsxvdaa3ba._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
1954852d49e10ab60251b4d441456bde537c7f349297c2c9c972aaf6cd9f5065
AveMariaRAT
23f9fe7816885cdc1fa4082870eb0eb6804df4dc15cafb0cb4c301bc7bebe5ea
AveMariaRAT
25d96cd43fe35d1ab7dd8be793a2b54595876ba8514ab273efe59a345afaae14
AveMariaRAT
55021119b7a7a05fea8b2141242d77bf417462a9a55c7ebcf8a01fda46072602
AveMariaRAT
6d76eb3bddde98330c44eaad153adab619c41faa8fda8f32802b6d8046188618
AveMariaRAT
6e7b45cff195d3b5234ecb0d64022233bb382524960fee75316ffeb3c87ad102
AveMariaRAT
9568e856bd7e2469908c9ee8dfc816f94662dd9643e34c6ec6d3153656e82247
AveMariaRAT
d392f469874d4bd4c888e9d26827785536a46f4bc5814d87eebc0c448c42a981
AveMariaRAT
error
AveMariaRAT
fd55dac59db1d3b1537ed0668b0dabaaa1cc6b178ef5c8cb758b7290f7e34030
AveMariaRAT
+ 1'153 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat collection discovery execution infostealer rat
Link:
https://tria.ge/reports/250523-r6qetatwfz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Warzone RAT payload
WarzoneRat, AveMaria
Warzonerat family
Malware Config
C2 Extraction:
196.251.118.106:4422
Dropper Extraction:
https://webmail.aruba.it/smart/cgi-bin/ajaxfile?ACT_FIL_DL=1&PUBLICUID=@1.VFMxM0RLUmlpak5VUCt4RkdEU3luR3VzRmxneHAzUStkTzBJZythWmhBYXR2Rng3R2dCNVl5V3djYTBnV0luVA==
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7065de23872ea88872ebf6d50dbd886cbc441c75b72fbac5f1fa632bd46006c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments