General
-
Target
4748396557139968.zip
-
Size
45KB
-
Sample
211222-tj5x4agddn
-
MD5
cf552b0ce22b33e433847ffacb47dd37
-
SHA1
7e85dc3fa0c48e974086b0899e02435cfa165265
-
SHA256
ba6105bdabf9b3b9d3358b2aee50d2ac5eea4168daa03ad59062d419d7c372fe
-
SHA512
75fe2b21827ce125d283e80cef9668fa271b18675c39034d6efcd22ea9cacd2c025eac83ac67de62b4d5ee15f437bcd4889b412c82beaefeee519165d3489646
Malware Config
Extracted
https://marks397.co.za/FRE/MAEK.pif
Extracted
warzonerat
jerenyankipong.duckdns.org:5200
Extracted
quasar
1.3.0.0
SUCCESS
jerenyankipong.duckdns.org:4782
MUTEX_jh9iPmixBt74IpSqEj
-
encryption_key
uO9yacYVMmi8921rParX
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
cmd
-
subdirectory
SubDir
Targets
-
-
Target
d480038c9ef06ec8e9d2ffba282c52e8f52f61e233ebb125ca4d3dcbfed9e161
-
Size
73KB
-
MD5
0a2ddcbe4687cf927ba02d332aa2a6d6
-
SHA1
b7fdb409e76495b4bcfb374d68cfcf919fbb4afe
-
SHA256
d480038c9ef06ec8e9d2ffba282c52e8f52f61e233ebb125ca4d3dcbfed9e161
-
SHA512
834a3d6ba33aa7693c962dd690d02d6f63cd8ccbda107a60ed844a28d765ffb5f55e3e51d12eeec7059e6ee52866a7db2d0ad7cb4b8b6ebf500725afcf381240
Score10/10-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Quasar Payload
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Nirsoft
-
Warzone RAT Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-