General
-
Target
list_9394_spares_0034_394830.pdf.tar
-
Size
364KB
-
Sample
211202-qq7hqahacj
-
MD5
f85f304b50f4f8e3daf912f152cc6459
-
SHA1
d023520ef2077146bd6065dcabc6255037360a75
-
SHA256
552056b97b69043abf8aa860469bd915c9c9c7d74c9ab3bc54e768c199618743
-
SHA512
b380f7949e318d340e298d34a7d1cd091c7cba1139d6a920d3ba6d2268670c65a596015ee7d4174c7e09556ce7b8212f16e3db3dd5b4a872e407eb78020d5437
Static task
static1
Behavioral task
behavioral1
Sample
list_9394_spares_0034_394830.pdf.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
list_9394_spares_0034_394830.pdf.exe
Resource
win10-en-20211014
Malware Config
Extracted
warzonerat
exportmunic007.duckdns.org:5200
Extracted
netwire
podzeye.duckdns.org:6688
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
- keylogger_dir
-
lock_executable
false
- mutex
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
false
Targets
-
-
Target
list_9394_spares_0034_394830.pdf.exe
-
Size
363KB
-
MD5
1be7781cf8cd18e3697e1d757df86faf
-
SHA1
f7287794a7695a5d548e4edb32b85dbfd796ff9b
-
SHA256
dec95d20b76f488818e6e59450be1f8e927f5c22ae59ed02e958a3e313145ee5
-
SHA512
2347bfb437f050da063f2439fd0c1c63237616f5903e477002383e73595cc952e87ca17c48ab23b549a832022d1422cc83705a8d312a4251a518ee978e89b962
-
NetWire RAT payload
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-