General
-
Target
THIRD PO.doc
-
Size
1.0MB
-
Sample
210720-4y19ffx842
-
MD5
4126a02a7c1813d85e7aebae88257220
-
SHA1
c84b7d02f15e5edd969f5815433321d2beb3784f
-
SHA256
8f02443e60bace0a38ca66a09f628b5a5cb06e7ecc69011ed27b879f4eaa11c9
-
SHA512
8bc6529b39dc2ff046551d1f176e51d0830cce92dab0bd41ce30d7021bf1711114ce97ade4336298106b3325811467f3655a17466add7319a9d013cde9e5ef42
Static task
static1
Behavioral task
behavioral1
Sample
THIRD PO.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
THIRD PO.doc
Resource
win10v20210408
Malware Config
Extracted
httP://hutyrtit.ydns.eu/microC.exe
Extracted
warzonerat
sdafsdffssffs.ydns.eu:6703
Targets
-
-
Target
THIRD PO.doc
-
Size
1.0MB
-
MD5
4126a02a7c1813d85e7aebae88257220
-
SHA1
c84b7d02f15e5edd969f5815433321d2beb3784f
-
SHA256
8f02443e60bace0a38ca66a09f628b5a5cb06e7ecc69011ed27b879f4eaa11c9
-
SHA512
8bc6529b39dc2ff046551d1f176e51d0830cce92dab0bd41ce30d7021bf1711114ce97ade4336298106b3325811467f3655a17466add7319a9d013cde9e5ef42
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-