General
-
Target
IMG_RFQ70103260100057.r12
-
Size
7KB
-
Sample
211019-hlznbagcbm
-
MD5
c1907214e8b1b8dd373ee4b5652b5f28
-
SHA1
2001398740b75af17bb757a3d8edc2e623e7f21f
-
SHA256
61fa21c4f1d716dd406241273bd1763af497d919b8008c53f4c85bbbb48d1b64
-
SHA512
c020ae4335ff4b5d9b900c53eafe5133476bec8fbb942168d4ac23c0a02b911b1cc67c94390bd021f5e695015d308480401a984f188e1fbe9a4f8323e4f129b6
Malware Config
Extracted
warzonerat
enginekeysmoney.ddns.net:9671
Targets
-
-
Target
IMG_RFQ70103260100057.exe
-
Size
28KB
-
MD5
4ca7ad65e21778c4ec8fab5129260d32
-
SHA1
461ae78946a55078590300798f08bc00e0e10d9d
-
SHA256
073a9a5eaf10598b2ebf99094fc29e04778ee7272319687d04c53f3d903de94c
-
SHA512
31b22762c0fb2d3d6c39bb5bd94c322a7d13cd6c5fd297e79955cd0095cbd4aaf7f4ab208ac304bf3069ce218a733dae6ac85d65cf15995bcbe649ad705820e8
Score10/10-
Modifies WinLogon for persistence
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-