General
-
Target
Dhl Notification.zip
-
Size
22KB
-
Sample
210406-b6frcdqshe
-
MD5
efcbf22580c7c17fff4235145af86e1a
-
SHA1
ed8fde01aff29c459f1462356a8f574e03068fba
-
SHA256
0ca60d33d6d026801f5c504c67b55ed7476567f63159c7d19547dfff90b3e095
-
SHA512
854e582078f9981cd16dbd894c1be56c69a62d48f97e27b206d07d131dc3131c61e756c886dcb2f96ab5b5e864d8bf2d8caf2d733d28aee464cfd7e6a7e4c3a6
Static task
static1
Behavioral task
behavioral1
Sample
Dhl Arrival.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Dhl Arrival.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Dhl Notification.exe
Resource
win7v20201028
Malware Config
Extracted
warzonerat
103.199.17.185:5200
Extracted
agenttesla
Protocol: smtp- Host:
Smtp.atlassecuritys.com - Port:
587 - Username:
holyman@atlassecuritys.com - Password:
}I9@Yru*QfuS
Targets
-
-
Target
Dhl Arrival.exe
-
Size
25KB
-
MD5
d8c4d7227e013682827d7dd15eb75c5d
-
SHA1
435a7ff58f4ace3a87660cc087dd619528bf5904
-
SHA256
45ce8266b766882c315625e5697ad038178bb3c5bc38fd43debd7cff0f93df6a
-
SHA512
297c747e59af9b2bac175bfc746a894271eb54397b7ad0b3bee0479e28cacef29a0d63aa27260da44609ccf142fddbbe4a47ae33945b95ec53281fba4d79e1f2
Score10/10-
Turns off Windows Defender SpyNet reporting
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Nirsoft
-
Warzone RAT Payload
-
Executes dropped EXE
-
Sets DLL path for service in the registry
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Modifies WinLogon
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
Dhl Notification.exe
-
Size
28KB
-
MD5
637e720356c1dae795f538c6b3ddcaf5
-
SHA1
8f6ca0cac4fcb24ea770044ec3da90d162138edf
-
SHA256
fc80e617c3370a42147ee2c7690dca01f3a70d0fcf435bb1265a6873bd7674ed
-
SHA512
96262d4835b3026b473921d5a8b3c115c0958ebe55b5f4f737ea3dc237ae8fd6a21e59bf3e7c8d8b615a206e2d02f11a9c0a0cb4b02b0e204ac2f51bbd4ab54c
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Turns off Windows Defender SpyNet reporting
-
AgentTesla Payload
-
Nirsoft
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-