General
-
Target
Payment_slip.exe
-
Size
787KB
-
Sample
201229-ce3dhzz5ae
-
MD5
8a9049970d7229e714dff1293dcc62d3
-
SHA1
f6f1d8e65ee706a85cabcb872d4038d0bd7e60a3
-
SHA256
91781c386bf7dd5c397d21189fd19d81354267545ce24e344b39358df333d828
-
SHA512
40516a488645977fb7076e4e987908e273e2c30a82d923d6c6574433fe457a91c5a0e6a5ccbc1dae35a7f0a41da2c233467e9c5ab73f5b7a370a6ebe8554f1e5
Static task
static1
Behavioral task
behavioral1
Sample
Payment_slip.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Payment_slip.exe
Resource
win10v20201028
Malware Config
Extracted
warzonerat
uomz1.ddns.net:5223
Targets
-
-
Target
Payment_slip.exe
-
Size
787KB
-
MD5
8a9049970d7229e714dff1293dcc62d3
-
SHA1
f6f1d8e65ee706a85cabcb872d4038d0bd7e60a3
-
SHA256
91781c386bf7dd5c397d21189fd19d81354267545ce24e344b39358df333d828
-
SHA512
40516a488645977fb7076e4e987908e273e2c30a82d923d6c6574433fe457a91c5a0e6a5ccbc1dae35a7f0a41da2c233467e9c5ab73f5b7a370a6ebe8554f1e5
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
ModiLoader First Stage
-
Warzone RAT Payload
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-