General
-
Target
INV-30f434GTtrd.xlsm
-
Size
43KB
-
Sample
211222-vah8eagdgn
-
MD5
42f4b675b2f4b588a2af7a6aa9ec6c32
-
SHA1
434eea6e1dcf12fb2a9d553df2af285913865838
-
SHA256
cf4e53b7758ebb9a9470cb6fd3a2c69fcd96e045534ab80a44eac752c09e50f0
-
SHA512
e52a2b8d03711f99a259a6680f3a689ce1583de7248e06585500f03437acb13b845d224ee299a848165b7ca14c362f9b5cc9ae6483fae96f574440e4c91b422a
Static task
static1
Behavioral task
behavioral1
Sample
INV-30f434GTtrd.xlsm
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
INV-30f434GTtrd.xlsm
Resource
win10-en-20211208
Malware Config
Extracted
https://marks397.co.za/FRE/MAEK.pif
Extracted
warzonerat
jerenyankipong.duckdns.org:5200
Extracted
quasar
1.3.0.0
SUCCESS
jerenyankipong.duckdns.org:4782
MUTEX_jh9iPmixBt74IpSqEj
-
encryption_key
uO9yacYVMmi8921rParX
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
cmd
-
subdirectory
SubDir
Targets
-
-
Target
INV-30f434GTtrd.xlsm
-
Size
43KB
-
MD5
42f4b675b2f4b588a2af7a6aa9ec6c32
-
SHA1
434eea6e1dcf12fb2a9d553df2af285913865838
-
SHA256
cf4e53b7758ebb9a9470cb6fd3a2c69fcd96e045534ab80a44eac752c09e50f0
-
SHA512
e52a2b8d03711f99a259a6680f3a689ce1583de7248e06585500f03437acb13b845d224ee299a848165b7ca14c362f9b5cc9ae6483fae96f574440e4c91b422a
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Quasar Payload
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Nirsoft
-
Warzone RAT Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-