General
-
Target
Fedex.zip
-
Size
25KB
-
Sample
210401-ngye4eca6j
-
MD5
30e3b901503ac3fa8fe5a41dbdb2d28f
-
SHA1
daddb5b99387a0c35e3dfce25af5de6fbbfed943
-
SHA256
22bc4fcd0d7610e4618b52e33c5ee551319a4db77796c9e9e1f15d96510e9fa2
-
SHA512
76d4aff9a636df1c07b9e36af0235d9d8dea018742e5cfa52c203b5f7af51753a63e7162064a00ee0741d46e1533e81ce1965e41d8b754cf7d0d4d8f234f8eb9
Static task
static1
Behavioral task
behavioral1
Sample
Fedex.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Fedex.exe
Resource
win10v20201028
Malware Config
Extracted
warzonerat
103.199.17.185:5200
Targets
-
-
Target
Fedex.exe
-
Size
57KB
-
MD5
6886a412048c05ed6a7e6cd4242727cf
-
SHA1
274723281c4348326ec4e44093a919676da49c2a
-
SHA256
7027f79dffddb7f5e3c6c9dc75616681f46d99adfb26663b90f9ced128c0ca74
-
SHA512
cf830d3704ac47cb4ffaa1d1d9947c1dc0cb687c370113c10d09a85c7c6861eed2b6c7cb241767eb9016df5fbf23348e88e2240589c2faf4a8b9a0f559bbb247
-
Turns off Windows Defender SpyNet reporting
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Nirsoft
-
Warzone RAT Payload
-
Executes dropped EXE
-
Sets DLL path for service in the registry
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Modifies WinLogon
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-