General
-
Target
DHL Notification.zip
-
Size
151KB
-
Sample
210414-yewgzseg46
-
MD5
0ab22a0a0cb3980c01ac6cb936cd55f3
-
SHA1
b16f747e2de14723433ad41d04f63417cbdc3e8a
-
SHA256
e04b0a2d8cd202f1888fc4947458f5b3090d370470e511966432b53ba3d4dfad
-
SHA512
61fda0f900d2c41bcb9b69159ecb1e5492744273ce5fc50f802238031b5da340a003bd8f923ba3464fbd799089306c28339be49e67871670ebcc2670ba622585
Static task
static1
Behavioral task
behavioral1
Sample
DHL Notification.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
DHL Notification.exe
Resource
win10v20210410
Malware Config
Extracted
warzonerat
103.199.17.185:5200
Targets
-
-
Target
DHL Notification.exe
-
Size
163KB
-
MD5
eb15437018c4dda8bec1309dc09b2e14
-
SHA1
0e05d49ff0f3fe7b68bbb6557ab726ab7655d3ac
-
SHA256
0a488235c3301936360b952234816e277d5cf57f1521df8a3fe91f9103e2c241
-
SHA512
78994e140aa0820399a831dcb1815b7add35e5c401a7ac93292fd869607c2d5ee5c5f5aa574eef17690f9a341980f8f7d8e7f3033695ea8674f410c60813b086
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload
-
Executes dropped EXE
-
Sets DLL path for service in the registry
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Modifies WinLogon
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-