General
-
Target
Invoice 2107 فاتورة .doc
-
Size
375KB
-
Sample
210710-pt63bt8346
-
MD5
6fa08ff23bec0624d65be6dc25d52734
-
SHA1
12b0caf0169bbde3db96866ef9d9764d1175ac51
-
SHA256
b734458704e0b15a59dd0911ca693b0b0b73bcff265c165a4ec8e707739fd2aa
-
SHA512
cd79921f0fef7d2e366083c82f8172ae22424d4b5e2598ef848d94c3504fc104541608519eb0e30d8961ae5f902769e700d968a39339456ceebf97e5664de2e9
Malware Config
Extracted
httP://hgoz.12v.si/tasksmgr.exe
Extracted
warzonerat
byx.z86.ru:5200
Targets
-
-
Target
Invoice 2107 فاتورة .doc
-
Size
375KB
-
MD5
6fa08ff23bec0624d65be6dc25d52734
-
SHA1
12b0caf0169bbde3db96866ef9d9764d1175ac51
-
SHA256
b734458704e0b15a59dd0911ca693b0b0b73bcff265c165a4ec8e707739fd2aa
-
SHA512
cd79921f0fef7d2e366083c82f8172ae22424d4b5e2598ef848d94c3504fc104541608519eb0e30d8961ae5f902769e700d968a39339456ceebf97e5664de2e9
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-