General
-
Target
IdDetails.ppam
-
Size
16KB
-
Sample
210712-lspdteb3re
-
MD5
8fb67950eee24c33116c5c8ae87bbde1
-
SHA1
26d8b5eec451ed68f3a61f4f69b4fadffb736d22
-
SHA256
a524b17edc79f1cacd57f9a07becfd24df6d0ef893d11620cb3c300c86c327ed
-
SHA512
1c03f7930d08ad4ea8d7fc0f8527d5db6bc618989e8ab9183abe05309d6b9f75f0eef61271059a576e2709a7d6ec5385f206d48ca99eeda9832148fa1117c9e3
Malware Config
Extracted
https://ia801508.us.archive.org/34/items/Coxes/Coxes.txt
Extracted
warzonerat
normanaman.duckdns.org:3009
Targets
-
-
Target
IdDetails.ppam
-
Size
16KB
-
MD5
8fb67950eee24c33116c5c8ae87bbde1
-
SHA1
26d8b5eec451ed68f3a61f4f69b4fadffb736d22
-
SHA256
a524b17edc79f1cacd57f9a07becfd24df6d0ef893d11620cb3c300c86c327ed
-
SHA512
1c03f7930d08ad4ea8d7fc0f8527d5db6bc618989e8ab9183abe05309d6b9f75f0eef61271059a576e2709a7d6ec5385f206d48ca99eeda9832148fa1117c9e3
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Blocklisted process makes network request
-
Process spawned suspicious child process
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
-
Suspicious use of SetThreadContext
-