General
-
Target
KMS2021070.doc
-
Size
736KB
-
Sample
210713-jcmzme3blx
-
MD5
534c00447ba7a9a34de759fca82bba03
-
SHA1
27a832c87b0b3e305788bb0c650e967c872b5df1
-
SHA256
3fa5812b96d6cafadd11fef3cad5fd31413906b19172b3d0357fe751e94c98a9
-
SHA512
2241e9d0747725f33db3f1e36f1f75f891b00881a1cff0765d25be13eea82a3d34860e7306d7d2d70bd7b2de62d2ce8c36c1f490669bc43ebc9eb8590eed9734
Static task
static1
Behavioral task
behavioral1
Sample
KMS2021070.doc
Resource
win7v20210410
Malware Config
Extracted
httP://freebeeskatobi.ydns.eu/obi1.exe
Extracted
warzonerat
dfdgdsasedw.ydns.eu:34566
Targets
-
-
Target
KMS2021070.doc
-
Size
736KB
-
MD5
534c00447ba7a9a34de759fca82bba03
-
SHA1
27a832c87b0b3e305788bb0c650e967c872b5df1
-
SHA256
3fa5812b96d6cafadd11fef3cad5fd31413906b19172b3d0357fe751e94c98a9
-
SHA512
2241e9d0747725f33db3f1e36f1f75f891b00881a1cff0765d25be13eea82a3d34860e7306d7d2d70bd7b2de62d2ce8c36c1f490669bc43ebc9eb8590eed9734
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-