General
-
Target
9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4
-
Size
3.5MB
-
Sample
201108-4smzmexdfj
-
MD5
182d028b33e65fb17d4a601cbfe38dff
-
SHA1
fdc5b33a43ca57abe13f5d03c429897cafddda5b
-
SHA256
9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4
-
SHA512
4cbe9456ecbab9674e8d168a306b2327d1eb57a0b98bcfe64bc84c371387dda8f4714ea128b8d98ba98c85b5b0b059c749cbf10fc5b8032874997125f1fc0de6
Static task
static1
Behavioral task
behavioral1
Sample
9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4.exe
Resource
win10v20201028
Malware Config
Extracted
warzonerat
sandyclark255.hopto.org:5200
Extracted
darkcomet
2020NOV5
sandyclark255.hopto.org:1605
DC_MUTEX-XRQ89VC
-
InstallPath
skypew.exe
-
gencode
pZP6alYpcpSq
-
install
true
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
true
-
reg_key
skype
Extracted
asyncrat
0.5.6A
sandyclark255.hopto.org:6606
sandyclark255.hopto.org:8808
sandyclark255.hopto.org:7707
adweqsds5
-
aes_key
kv5uVyBGd24QqEsgPMVYkssYB7jsYam1
-
anti_detection
true
-
autorun
true
-
bdos
false
- delay
-
host
sandyclark255.hopto.org
- hwid
- install_file
-
install_folder
%AppData%
-
mutex
adweqsds5
-
pastebin_config
null
-
port
6606,8808,7707
-
version
0.5.6A
Targets
-
-
Target
9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4
-
Size
3.5MB
-
MD5
182d028b33e65fb17d4a601cbfe38dff
-
SHA1
fdc5b33a43ca57abe13f5d03c429897cafddda5b
-
SHA256
9349dedc83ec4d4feb499846694ba241e205023fdec6e3cdd37ac82cc47661b4
-
SHA512
4cbe9456ecbab9674e8d168a306b2327d1eb57a0b98bcfe64bc84c371387dda8f4714ea128b8d98ba98c85b5b0b059c749cbf10fc5b8032874997125f1fc0de6
-
Modifies WinLogon for persistence
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload
-
Warzone RAT Payload
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-