General
-
Target
7f7100d9f3b590edf049235f41916b96888018af41a78f4fddf3d0ab0b05c0b3
-
Size
1.5MB
-
Sample
220521-xz3dpagacp
-
MD5
402acc085e31266118f8c32be2018d69
-
SHA1
12a3b9294c9e70fafadc79806386695c83af2fe5
-
SHA256
7f7100d9f3b590edf049235f41916b96888018af41a78f4fddf3d0ab0b05c0b3
-
SHA512
4fb90d3c07fe51df4c8e151463d7aeeac3054adcf5bb82685d42bfd6e2f1d37f970c84cccc9cfcc56e93de6c55757945d229fd68ea984a07e1a008f980201600
Static task
static1
Behavioral task
behavioral1
Sample
DOC_DELI.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DOC_DELI.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.crestftb.com - Port:
587 - Username:
ikmero@crestftb.com - Password:
BRIAN22@1234567891011 - Email To:
snakelogger@crestftb.com
Extracted
warzonerat
76.8.53.133:1198
Targets
-
-
Target
DOC_DELI.EXE
-
Size
976KB
-
MD5
e48a6f316e081f116c1b9c812f35694d
-
SHA1
b8c3e97deebce1cfaa821e8ef822754b7c0fdec0
-
SHA256
adbaaaedf5553fca319364ec9f2685b546fdc135352e96654c692b12e7cd40ed
-
SHA512
b6dbc3ec04fffe634dde9d990e9035e1f7c9a79c59a1ebb4a9bade12fa70f01ba732ae276d02662ba671bf716d3450c75c922ebdf8821c7ac3c35f4a7010cfba
-
Snake Keylogger Payload
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-