General
-
Target
343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5
-
Size
442KB
-
Sample
211222-vbbjysffe8
-
MD5
6d5f00a23f0fc84d7e44a9dbcd31e0b4
-
SHA1
fcfe53ac6c4727a7d711415632882fc7f5569491
-
SHA256
343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5
-
SHA512
15cc6af9e8492358ee9041ddb709a87e64723ee41d775ca17ac63a6c1725b006f893313c5cb4bd1cc237dcce6d410900485cd62aa9f4075d308829e1e6994236
Static task
static1
Behavioral task
behavioral1
Sample
343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5.exe
Resource
win10-en-20211208
Malware Config
Extracted
warzonerat
jerenyankipong.duckdns.org:5200
Extracted
quasar
1.3.0.0
SUCCESS
jerenyankipong.duckdns.org:4782
MUTEX_jh9iPmixBt74IpSqEj
-
encryption_key
uO9yacYVMmi8921rParX
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
cmd
-
subdirectory
SubDir
Targets
-
-
Target
343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5
-
Size
442KB
-
MD5
6d5f00a23f0fc84d7e44a9dbcd31e0b4
-
SHA1
fcfe53ac6c4727a7d711415632882fc7f5569491
-
SHA256
343547ccd4990682ba60ae259bf210c4a1078e3de6cee1fcfa48d345d83e23e5
-
SHA512
15cc6af9e8492358ee9041ddb709a87e64723ee41d775ca17ac63a6c1725b006f893313c5cb4bd1cc237dcce6d410900485cd62aa9f4075d308829e1e6994236
-
Modifies WinLogon for persistence
-
Quasar Payload
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Nirsoft
-
Warzone RAT Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-