General
-
Target
IMG_701451200.doc
-
Size
29KB
-
Sample
210615-zdfn5ckqrx
-
MD5
f603ab897766610aa9609935e5a65359
-
SHA1
9800aef87722cb04b166a74ebf66f84ddfb44aa7
-
SHA256
ef9f3640a11c9355fca84a3ded21a4e60b0565a2ccbd70d24bb4204a4c85651f
-
SHA512
152f6be30932cfec62e7d5d596d966f9a2210bdf081e2b3da15271543d84a352e9fa2bc47bf739a7c891f180ea90c760c2c5a98db08f6b6f7ed01888015eec85
Static task
static1
Behavioral task
behavioral1
Sample
IMG_701451200.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
IMG_701451200.doc
Resource
win10v20210408
Malware Config
Extracted
http://31.210.20.45/527/CossoleApp2.exe
Extracted
warzonerat
136.144.41.220:91
Targets
-
-
Target
IMG_701451200.doc
-
Size
29KB
-
MD5
f603ab897766610aa9609935e5a65359
-
SHA1
9800aef87722cb04b166a74ebf66f84ddfb44aa7
-
SHA256
ef9f3640a11c9355fca84a3ded21a4e60b0565a2ccbd70d24bb4204a4c85651f
-
SHA512
152f6be30932cfec62e7d5d596d966f9a2210bdf081e2b3da15271543d84a352e9fa2bc47bf739a7c891f180ea90c760c2c5a98db08f6b6f7ed01888015eec85
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-