General
-
Target
58bbda497419849bd851ed97dfde285b9c995a4421af98475776d6879e21309d
-
Size
1.5MB
-
Sample
220521-n72bxshhhj
-
MD5
11e598ad2fd776265951dc0720d55273
-
SHA1
c708bf1d04672c305491a2a2d75aa41631e69337
-
SHA256
58bbda497419849bd851ed97dfde285b9c995a4421af98475776d6879e21309d
-
SHA512
5073f4188c36a3ba15d0b1eaff033eb86e447d2d6de4fd9ef3f3632ac6491d9b3a786249e6d24116c2b5ade5450001c0c169de78c49be17399f5bbf537eeec56
Static task
static1
Behavioral task
behavioral1
Sample
Invoices,Pictures jpg jpg jpg jpg.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Invoices,Pictures jpg jpg jpg jpg.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Me jpg jpg jpg jpg.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Me jpg jpg jpg jpg.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
Products Order pdf pdf pdf pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
Products Order pdf pdf pdf pdf.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
warzonerat
198.12.84.39:5200
Extracted
formbook
4.1
hha
atarairdive.com
binanca.com
krepostta-sofia.com
chiangmaipartys.com
bestglobalseo.com
rdsri.com
immaginaeventi.com
lushrox.com
kenderia.com
goldenbrownacademy.com
kiddyquest.com
cs-support.online
magicovino.com
banderasacuadros.com
originalducatispareparts.com
tfpfleet.com
wickedmaple.com
fasypeoplesearch.com
zggwpmwdcp.com
boav11.com
development88.com
naturestourssrilanka.com
fertycc.info
messenger-marketing.biz
gloucesterchauffeurs.com
gdhawell.com
paymejo.com
preparedtrafficupdates.win
youpinpuzi.com
gweneldor.tech
110408.info
19mosaics.com
radyoajanda.net
photographyhere-now.com
clickoncr.com
safeenamedia.com
jh3.tech
darinsfault.net
jbrwcfn.com
trandway.com
copecafe.net
mansourmall.com
chiyodaku-fudosan.com
idealgrphics.com
coldwardecor.com
airfan-video.com
mfash.info
zebrometer.com
hummingbirdindustries.info
buylasvegasluxury.com
blondsthlm.com
guggenheimre.com
savethewoodie.info
museumscreens.com
goodplacelotto.com
snackans.com
estimergia.com
laacia.life
swtsthotel.com
btcass.com
thewatchknight.com
bangladesherkhobor.net
sulphurinsatisfaction.com
casa-rural-cadiz.com
yofdyk.com
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
coronavirus2020
Extracted
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
coronavirus2020
Targets
-
-
Target
Invoices,Pictures jpg jpg jpg jpg.exe
-
Size
476KB
-
MD5
bb5454dd5bd4348184f41b2a179fc485
-
SHA1
fded32c568bf8bfbb4f937f6c6a23be3e4de8e3c
-
SHA256
847a17631eb77cdb667aadc9bebec75562fd1dfc4fd6206d2ec2636a11671cca
-
SHA512
af8b23f670510ee4539ccc14698005567cea83695e53e198a8041c3351d73787a1668221e4d4a0b7c5ee8ebd49cef67e0880c60b12d39b48f17074742f9c5be4
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Looks for VirtualBox Guest Additions in registry
-
Warzone RAT Payload
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
-
-
Target
Me jpg jpg jpg jpg.exe
-
Size
550KB
-
MD5
b341988d42a31ad31f64902f802be8cb
-
SHA1
dcb84aa283342301808bb227d0f768036cccc89a
-
SHA256
f80c8e9d0e8ed0ffa6b7d8620a0eb890deb7c9dc84dca3198b3d2625bf5d1099
-
SHA512
97a260e43f2f77c57d46765d837df1bfa7bbbd27d4e3b8d17a63d68872429301b1be7fa5a735f0a37d7750a63ec98b242a93e7bb6be8ca9a7c9c289fd7b80c32
-
Formbook Payload
-
Adds policy Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
Products Order pdf pdf pdf pdf.exe
-
Size
763KB
-
MD5
67d6dae8674b82803d9179b2e7416bbe
-
SHA1
7f6f189a461595a0d4a6bfb609e4c1c8fe1619d4
-
SHA256
e749f3ff00bcb6ecd97f1a5d504cac08382a2b22d2b28e726b22d8b3f2770510
-
SHA512
fd11bfdb26d54da445aeeba66e369658f00228bc070fa1940ced1a6ded89c2a118397b9e44a5607ed75562625895606ed86e95f4850a4062939d866399fa7144
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-