General
-
Target
IdDetails.ppam
-
Size
14KB
-
Sample
210712-6328lmjcp6
-
MD5
b3c4df30fcb050cd2719916ca70b730d
-
SHA1
724d8d16bb272d7a15197caed16aebea4fa8adcd
-
SHA256
ef1ac3f12332198e1ef6f01698658258289a63e08ff17b1ddba89e229b8f19b7
-
SHA512
f76708ee0cb319c576eb9cf872620c63d8818566be985eb13c258d736b29b1faf9f6f26159c9caba6bc29cd82316739ad8fff1e4ac47c5ee016cd1a2a0613580
Malware Config
Extracted
https://ia801508.us.archive.org/34/items/Coxes/Coxes.txt
Extracted
warzonerat
normanaman.duckdns.org:3009
Targets
-
-
Target
IdDetails.ppam
-
Size
14KB
-
MD5
b3c4df30fcb050cd2719916ca70b730d
-
SHA1
724d8d16bb272d7a15197caed16aebea4fa8adcd
-
SHA256
ef1ac3f12332198e1ef6f01698658258289a63e08ff17b1ddba89e229b8f19b7
-
SHA512
f76708ee0cb319c576eb9cf872620c63d8818566be985eb13c258d736b29b1faf9f6f26159c9caba6bc29cd82316739ad8fff1e4ac47c5ee016cd1a2a0613580
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Blocklisted process makes network request
-
Process spawned suspicious child process
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
-
Suspicious use of SetThreadContext
-