General
-
Target
Booking.lnk
-
Size
1KB
-
Sample
210717-e289tcgvkj
-
MD5
c19da592366d6c173dee901add093e8e
-
SHA1
ddd038c49bee36557cd203b581948e98a5e787a1
-
SHA256
ab915bb1e45aba4cbbb762e4bac31510539b4a418d8466839bf6e4c1b40b87a2
-
SHA512
7d9c0d3aa4b8907598f3c0982b32cc35d9afb816de8e350aefac3993cfbcd0e2b3c84ce59d99b9de239b20a10179ea6db9370aa53c89b3c3a1e4c05db8bdd7b3
Static task
static1
Behavioral task
behavioral1
Sample
Booking.lnk
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Booking.lnk
Resource
win10v20210408
Malware Config
Extracted
https://ia801509.us.archive.org/29/items/enc-kkkkkkkkkkkooooooookkkkkkkkkkk-2435467568790/Enc_kkkkkkkkkkkooooooookkkkkkkkkkk_2435467568790.txt
Extracted
https://ia601504.us.archive.org/1/items/all-kkkkkkkkkkkkooooooooookkkkkkkkkkkkkkk/ALL_kkkkkkkkkkkkooooooooookkkkkkkkkkkkkkk.txt
Extracted
warzonerat
103.147.184.73:5719
Targets
-
-
Target
Booking.lnk
-
Size
1KB
-
MD5
c19da592366d6c173dee901add093e8e
-
SHA1
ddd038c49bee36557cd203b581948e98a5e787a1
-
SHA256
ab915bb1e45aba4cbbb762e4bac31510539b4a418d8466839bf6e4c1b40b87a2
-
SHA512
7d9c0d3aa4b8907598f3c0982b32cc35d9afb816de8e350aefac3993cfbcd0e2b3c84ce59d99b9de239b20a10179ea6db9370aa53c89b3c3a1e4c05db8bdd7b3
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload
-
Blocklisted process makes network request
-
Sets DLL path for service in the registry
-
Loads dropped DLL
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-