MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce3c41e115ef701927a22ab2db9709a871c80f14487209e8abacde6dd708d865. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AveMariaRAT

Vendor detections: 7

Intelligence 7 IOCs YARA 12 File information Comments

SHA256 hash:	ce3c41e115ef701927a22ab2db9709a871c80f14487209e8abacde6dd708d865
SHA3-384 hash:	44d4de8e2b30e3de1184266ec3e0809cd927f0a0f307ce14e740e8c2043b48133fc10d68b18ea7fbd8a11c6adbbff3f2
SHA1 hash:	036f8792bc38d88f7bdc34c2eee1ff33003afead
MD5 hash:	a6e65fc50b1dd45544d41cb2a32f9184
humanhash:	september-virginia-lima-summer
File name:	Necessary Documents.js
Download:	download sample
Signature	AveMariaRAT Create hunting rule
File size:	629'024 bytes
First seen:	2022-04-14 05:48:36 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	12288:9JfB3ckJPCRVpDsNXB1AR8zb4qG2cWqONn/Im9:9JfB3NpWEOb21/Ii
TLSH	T14FD41272B8C3FDC96B3B0D45B3D42D2D1C886E9743A0A209F6C40DA5A5EA544DF279F8
Reporter	abuse_ch
Tags:	AveMariaRAT js RAT

Intelligence

File Origin

# of uploads :

# of downloads :

529

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Generic-EXE.UNOFFICIAL

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL

Sanesecurity.Malware.26270.JsHeur.UNOFFICIAL

Sanesecurity.Malware.25779.JsHeur.UNOFFICIAL

Sanesecurity.Malware.26271.JsHeur.UNOFFICIAL

Sanesecurity.Malware.25834.JsHeur.UNOFFICIAL

Porcupine.Malware.36555.UNOFFICIAL

Js.Downloader.Agent-9914219-0

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6257b5dbeab80a7a6c1034bf/reports/64221329-b68b-495d-93f9-d170e70b6af3/overview

Result

Verdict:

MALICIOUS

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ce3c41e115ef701927a22ab2db9709a871c80f14487209e8abacde6dd708d865/

Threat name:

Script-JS.Downloader.Nemucod

Status:

Malicious

First seen:

2022-04-13 15:56:00 UTC

File Type:

Text (JavaScript)

AV detection:

18 of 42 (42.86%)

Threat level:

3/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zy6edyiv55ybsj5cfkznxfyjvby4qdyujbzat2flvtpg3vyi3bsq._file

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:warzonerat collection infostealer rat

Link:

https://tria.ge/reports/220414-gh17asgghp/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Warzone RAT Payload

WarzoneRat, AveMaria

Malware Config

C2 Extraction:

103.99.0.188:5200

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ce3c41e115ef701927a22ab2db9709a871c80f14487209e8abacde6dd708d865

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	adonunix2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	AD on UNIX

Rule name:	AveMaria Create hunting rule
Author:	@bartblaze
Description:	Identifies AveMaria aka WarZone RAT.

Rule name:	ave_maria_warzone_rat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	Codoso_Gh0st_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	Codoso_Gh0st_1_RID2C2D Create hunting rule
Author:	Florian Roth
Description:	Detects Codoso APT Gh0st Malware
Reference:	https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding command execution via IExecuteCommand COM object

Rule name:	MALWARE_Win_AveMaria Create hunting rule
Author:	ditekSHen
Description:	AveMaria variant payload

Rule name:	MALWARE_Win_WarzoneRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AveMaria/WarzoneRAT

Rule name:	MAL_Lokibot_Stealer Create hunting rule
Description:	Detects Lokibot Stealer Variants

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample