General
-
Target
DHL.zip
-
Size
143KB
-
Sample
210414-8pez1zs4q6
-
MD5
369aa53c3ca60a386504467e9069a2d0
-
SHA1
abf9451d65e071e71df1d243d75174a63ebe81f5
-
SHA256
6fc8a97e2f6a603c7540e600d30bdb8f0b82d7f9a9dc58defece0a17377abbda
-
SHA512
76d63c2e60e3ebed6a6fc8b27f730fde61db83d53971cea6423020fae9336e9fd4b2eb16d93f4fb717c9caddf49d83092883ba17edbbebd8302a66b78d05b4d7
Static task
static1
Behavioral task
behavioral1
Sample
DHL.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
DHL.exe
Resource
win10v20210408
Malware Config
Extracted
warzonerat
103.199.17.185:5200
Targets
-
-
Target
DHL.exe
-
Size
155KB
-
MD5
8ee83b23a03d6d86237eec9094745b0f
-
SHA1
cd842c86f6e27eac4b25cd0cbf5f36d2eb5b92d1
-
SHA256
485cc2e6034ba95ed0bc7f15273ae707c5c9ddec29e863c2a1f504379ce87dc7
-
SHA512
b7ae33a588aaccabfa3b3e2e77c60318b0e5b72fb37958145dc31c505d282b533fabd6d40cb28c5b10140d677c1c48c1c0797efc345b0ad2068e5961b438358f
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload
-
Executes dropped EXE
-
Sets DLL path for service in the registry
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Modifies WinLogon
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-