General
-
Target
factura 1-000103.js
-
Size
279KB
-
Sample
220613-ndpq2afhbn
-
MD5
ccb741ce0a1cc6dc191080bc2daf6367
-
SHA1
7c84f832c779ff31848321e876460ee97f2dc7cd
-
SHA256
f56acd43442adc78877403cc38f8a9b49e356b12c59d1eb994fcd33f44313899
-
SHA512
25e29cc884b0177264add07c13dc8693ff1e5e328c535f21ed8ba2c71f5594a3d208f5a8f3cf255bb18da4f63ce3191b46e4367d09c3cf55884a803c327b62f2
Static task
static1
Behavioral task
behavioral1
Sample
factura 1-000103.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
factura 1-000103.js
Resource
win10v2004-20220414-en
Malware Config
Extracted
warzonerat
91.207.57.115:5079
Targets
-
-
Target
factura 1-000103.js
-
Size
279KB
-
MD5
ccb741ce0a1cc6dc191080bc2daf6367
-
SHA1
7c84f832c779ff31848321e876460ee97f2dc7cd
-
SHA256
f56acd43442adc78877403cc38f8a9b49e356b12c59d1eb994fcd33f44313899
-
SHA512
25e29cc884b0177264add07c13dc8693ff1e5e328c535f21ed8ba2c71f5594a3d208f5a8f3cf255bb18da4f63ce3191b46e4367d09c3cf55884a803c327b62f2
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
-
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)
-
Warzone RAT Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-