General
-
Target
Dues_Schedule.xls
-
Size
35KB
-
Sample
211026-klfasahac9
-
MD5
2cd1c85653a455037cc06e28f618cadd
-
SHA1
1c73eecf53204098c00396764f440e94e226e85f
-
SHA256
f76a6159bfa4a475f623a5969e9ed6f83dc9ba382a0a0e39332507fca8fc06b8
-
SHA512
0e6a0eaea95e27be9cee58300c99199bdb307e63672ee68dcc518974014e0a06bd6f9a5ee79df2353d2a99af4f1df54e94e2d08417490bc1912d1d5435426b2b
Static task
static1
Behavioral task
behavioral1
Sample
Dues_Schedule.xls
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Dues_Schedule.xls
Resource
win10-en-20211014
Malware Config
Extracted
warzonerat
mobibagugu.duckdns.org:666
Targets
-
-
Target
Dues_Schedule.xls
-
Size
35KB
-
MD5
2cd1c85653a455037cc06e28f618cadd
-
SHA1
1c73eecf53204098c00396764f440e94e226e85f
-
SHA256
f76a6159bfa4a475f623a5969e9ed6f83dc9ba382a0a0e39332507fca8fc06b8
-
SHA512
0e6a0eaea95e27be9cee58300c99199bdb307e63672ee68dcc518974014e0a06bd6f9a5ee79df2353d2a99af4f1df54e94e2d08417490bc1912d1d5435426b2b
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload
-
Blocklisted process makes network request
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-