General
-
Target
Swift Copy.zip
-
Size
275KB
-
Sample
210223-3xnxq2mccs
-
MD5
d52753f796e8539c7cd55f093e707a99
-
SHA1
f8f8bedc53dc3ef9ec95d8189d4a83fb66c07acd
-
SHA256
9179ffac8f35e73f35673a16efe0144858415cb462387ad524889d25ab72a052
-
SHA512
fc19476b0ddbff3f86cb8c5f19ca4ded1210879242b0be0551859094571ffe08664f5102bb3e5600514892790d175fcfdb26bd4cf4a2f6f421e355c24dc8753a
Static task
static1
Behavioral task
behavioral1
Sample
Swift copy .xls.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Swift copy .xls.exe
Resource
win10v20201028
Malware Config
Extracted
warzonerat
194.5.97.116:1360
Targets
-
-
Target
Swift copy .xls.exe
-
Size
360KB
-
MD5
21f7a17e1a7bf3ea8e5b77beec1dd94f
-
SHA1
d6d0529b2bc4b8ed2c10d4c0e0730cd90421a744
-
SHA256
f1a7b6a46915fa2b34597413808c3f79379961e645ec613ec09dd0cd0a8722f0
-
SHA512
26a3dbdfae0007a8bcda397ad87d289cc1bd883f69e76cef67b2826069f183fac2e1e7273dbb58edefa7f70ce26e34241e4f70332e68964ad7170b9f228d4ec3
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload
-
Sets DLL path for service in the registry
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies WinLogon
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-