General
-
Target
FINAL INVOICE.doc
-
Size
662KB
-
Sample
210713-ar1ay5ffxs
-
MD5
1f5d7335c8fb08f1685c0a03bef319c7
-
SHA1
c437b8bd154196fbb466b3380010c00931888df3
-
SHA256
c8c027d89dffe9c38eeca218fe9400bb6a28970c22dce6f7b05ceb72bf5d221d
-
SHA512
0bcdd2aa38a2a5407e858d64a43fd7b9d27861dfbb4c7e5c1777ad310b1290dab22c6843cd6c100401aed1b13cba8d7affee925abc1bc6b0ff7c2baca4090b10
Static task
static1
Behavioral task
behavioral1
Sample
FINAL INVOICE.doc
Resource
win7v20210410
Malware Config
Extracted
httP://freebeeskatobi.ydns.eu/kat1.exe
Extracted
nanocore
1.2.2.0
zzeroirt.duckdns.org:4948
hirtoruew.duckdns.org:4948
213f8d87-634f-49a2-b68e-7c41f3bee6d5
-
activate_away_mode
true
-
backup_connection_host
hirtoruew.duckdns.org
-
backup_dns_server
hirtoruew.duckdns.org
-
buffer_size
65535
-
build_time
2021-04-05T13:34:58.963300136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4948
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
213f8d87-634f-49a2-b68e-7c41f3bee6d5
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
zzeroirt.duckdns.org
-
primary_dns_server
zzeroirt.duckdns.org
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
warzonerat
sdafsdffssffs.ydns.eu:6703
Targets
-
-
Target
FINAL INVOICE.doc
-
Size
662KB
-
MD5
1f5d7335c8fb08f1685c0a03bef319c7
-
SHA1
c437b8bd154196fbb466b3380010c00931888df3
-
SHA256
c8c027d89dffe9c38eeca218fe9400bb6a28970c22dce6f7b05ceb72bf5d221d
-
SHA512
0bcdd2aa38a2a5407e858d64a43fd7b9d27861dfbb4c7e5c1777ad310b1290dab22c6843cd6c100401aed1b13cba8d7affee925abc1bc6b0ff7c2baca4090b10
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
Nirsoft
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Sets DLL path for service in the registry
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Modifies WinLogon
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-