General
-
Target
order.doc
-
Size
508KB
-
Sample
210419-y35exqvm7e
-
MD5
645b9ead5f62a6a7ab7fbbd5931c7c6c
-
SHA1
1c2016b51b095f54a2bfb0d8ae90cf1f2b5d2b0f
-
SHA256
fe9fe5b74f717cbf3e5e74ed81cc794b6868a0db0eb3be85689f41fc1e69c63a
-
SHA512
a68303676b5f2cfb9853b0c5c87881879175d449d8fc2102f91f94ab03226b83f2a3da5ffb947e3d1f394beae0e9e5b3d0be8ff293075cbea56fe059a0e44e8e
Malware Config
Extracted
warzonerat
cbngroup.duckdns.org:38050
Targets
-
-
Target
order.doc
-
Size
508KB
-
MD5
645b9ead5f62a6a7ab7fbbd5931c7c6c
-
SHA1
1c2016b51b095f54a2bfb0d8ae90cf1f2b5d2b0f
-
SHA256
fe9fe5b74f717cbf3e5e74ed81cc794b6868a0db0eb3be85689f41fc1e69c63a
-
SHA512
a68303676b5f2cfb9853b0c5c87881879175d449d8fc2102f91f94ab03226b83f2a3da5ffb947e3d1f394beae0e9e5b3d0be8ff293075cbea56fe059a0e44e8e
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-