General
-
Target
ddb25c6d3894be202a4ee4b061ce010d
-
Size
893KB
-
Sample
210915-hn8c8sdagn
-
MD5
ddb25c6d3894be202a4ee4b061ce010d
-
SHA1
5e87d177b7ca71c46f7c37d13a2de5e04b97549d
-
SHA256
8035847afc188fc0c7f878b148ffae82d22f6594386539255cdfc4b5d5deb8c0
-
SHA512
b8e5caeb723f259c30cb34f2049e4051e0b7f3b4b4cd599a8729501875adf97b0c600e694c811f0909d2af84eb240cd6f01fd55a368a698f70dced6f410d78f2
Static task
static1
Behavioral task
behavioral1
Sample
ddb25c6d3894be202a4ee4b061ce010d.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ddb25c6d3894be202a4ee4b061ce010d.exe
Resource
win10-en
Malware Config
Extracted
warzonerat
severdops.ddns.net:3311
Targets
-
-
Target
ddb25c6d3894be202a4ee4b061ce010d
-
Size
893KB
-
MD5
ddb25c6d3894be202a4ee4b061ce010d
-
SHA1
5e87d177b7ca71c46f7c37d13a2de5e04b97549d
-
SHA256
8035847afc188fc0c7f878b148ffae82d22f6594386539255cdfc4b5d5deb8c0
-
SHA512
b8e5caeb723f259c30cb34f2049e4051e0b7f3b4b4cd599a8729501875adf97b0c600e694c811f0909d2af84eb240cd6f01fd55a368a698f70dced6f410d78f2
Score10/10-
Turns off Windows Defender SpyNet reporting
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Looks for VirtualBox Guest Additions in registry
-
Nirsoft
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Defense Evasion
Modify Registry
7Disabling Security Tools
5Bypass User Account Control
1Virtualization/Sandbox Evasion
2Scripting
1