THIRD PO.doc

General
Target

THIRD PO.doc

Size

1MB

Sample

210720-4y19ffx842

Score
10 /10
MD5

4126a02a7c1813d85e7aebae88257220

SHA1

c84b7d02f15e5edd969f5815433321d2beb3784f

SHA256

8f02443e60bace0a38ca66a09f628b5a5cb06e7ecc69011ed27b879f4eaa11c9

SHA512

8bc6529b39dc2ff046551d1f176e51d0830cce92dab0bd41ce30d7021bf1711114ce97ade4336298106b3325811467f3655a17466add7319a9d013cde9e5ef42

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

httP://hutyrtit.ydns.eu/microC.exe

Extracted

Family warzonerat
C2

sdafsdffssffs.ydns.eu:6703

Targets
Target

THIRD PO.doc

MD5

4126a02a7c1813d85e7aebae88257220

Filesize

1MB

Score
10 /10
SHA1

c84b7d02f15e5edd969f5815433321d2beb3784f

SHA256

8f02443e60bace0a38ca66a09f628b5a5cb06e7ecc69011ed27b879f4eaa11c9

SHA512

8bc6529b39dc2ff046551d1f176e51d0830cce92dab0bd41ce30d7021bf1711114ce97ade4336298106b3325811467f3655a17466add7319a9d013cde9e5ef42

Tags

Signatures

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • WarzoneRat, AveMaria

    Description

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    Tags

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks

                      static1

                      behavioral1

                      10/10

                      behavioral2

                      10/10