General
-
Target
services.exe
-
Size
113KB
-
Sample
210528-htrhccpq8a
-
MD5
4e9f2ab42f55d659b90079a3bb75858c
-
SHA1
b7481079ec7a825f454bea6d7bf2788d7e286523
-
SHA256
ac3ac2c7989618e67564ccfad54facd8f4ec7b0ade1e09f323f1d940f3db8ede
-
SHA512
bba8850ebd6617df9240e4aecd334f81fdb33cf7f3ff2f8973bfee15a45b78c656b96b162660068d558df314ca7b6266cc13f407b8f652d2002512d68e0804f3
Static task
static1
Behavioral task
behavioral1
Sample
services.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
services.exe
Resource
win10v20210410
Malware Config
Extracted
warzonerat
minerz.duckdns.org:1604
Targets
-
-
Target
services.exe
-
Size
113KB
-
MD5
4e9f2ab42f55d659b90079a3bb75858c
-
SHA1
b7481079ec7a825f454bea6d7bf2788d7e286523
-
SHA256
ac3ac2c7989618e67564ccfad54facd8f4ec7b0ade1e09f323f1d940f3db8ede
-
SHA512
bba8850ebd6617df9240e4aecd334f81fdb33cf7f3ff2f8973bfee15a45b78c656b96b162660068d558df314ca7b6266cc13f407b8f652d2002512d68e0804f3
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
XMRig Miner Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-