General
-
Target
payment_invoice_incorrect.exe
-
Size
1.2MB
-
Sample
210119-kxm2e4kydn
-
MD5
682cbef782fd858fedb4e23a86a93460
-
SHA1
2bdf2f8534494fa6081dd7a06739c187f84f8a50
-
SHA256
58d196d8831863734a9a52f66ca3a52cafdf0355379567897433c4ef7b6fe421
-
SHA512
713edea997e23a1f2c52979b2fb9988e03e7939970a3df958fbd292bc65176b4635e4ab97f5ca4d333c47b388db6a27dc3cb64ff4845582d84957f340f2ceb56
Static task
static1
Behavioral task
behavioral1
Sample
payment_invoice_incorrect.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
payment_invoice_incorrect.exe
Resource
win10v20201028
Malware Config
Extracted
warzonerat
makavi.hopto.org:5200
Targets
-
-
Target
payment_invoice_incorrect.exe
-
Size
1.2MB
-
MD5
682cbef782fd858fedb4e23a86a93460
-
SHA1
2bdf2f8534494fa6081dd7a06739c187f84f8a50
-
SHA256
58d196d8831863734a9a52f66ca3a52cafdf0355379567897433c4ef7b6fe421
-
SHA512
713edea997e23a1f2c52979b2fb9988e03e7939970a3df958fbd292bc65176b4635e4ab97f5ca4d333c47b388db6a27dc3cb64ff4845582d84957f340f2ceb56
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload
-
Executes dropped EXE
-
Sets DLL path for service in the registry
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Modifies WinLogon
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-