General
-
Target
new order.exe
-
Size
1.5MB
-
Sample
210118-bl18sbzzaa
-
MD5
2e49841fc82760ecebfa5b6f0342366a
-
SHA1
3c18902d82ecfa56c4cfff84954fa116ce249935
-
SHA256
98cf9b180f49331bc9c5a5eae9257f083e7b9601819191e9414dc7a76321592f
-
SHA512
fab34aee9bd711df8d02e1623ea63a5a3253e6ec4846503d10f2a8157b18dda6b21fa440989b34f422121e78f05f8f06096421eba41fb20c59ccbf44de7eb4da
Static task
static1
Behavioral task
behavioral1
Sample
new order.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
new order.exe
Resource
win10v20201028
Malware Config
Extracted
warzonerat
mykassa.zapto.org:5200
Targets
-
-
Target
new order.exe
-
Size
1.5MB
-
MD5
2e49841fc82760ecebfa5b6f0342366a
-
SHA1
3c18902d82ecfa56c4cfff84954fa116ce249935
-
SHA256
98cf9b180f49331bc9c5a5eae9257f083e7b9601819191e9414dc7a76321592f
-
SHA512
fab34aee9bd711df8d02e1623ea63a5a3253e6ec4846503d10f2a8157b18dda6b21fa440989b34f422121e78f05f8f06096421eba41fb20c59ccbf44de7eb4da
Score10/10-
Modifies WinLogon for persistence
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-