General
-
Target
0123987INMWN2987.js
-
Size
297KB
-
Sample
220615-p2gwrsfcar
-
MD5
ee4b83dc3501b10be35a258a19b6251f
-
SHA1
8a8036bdfbf85a9c08a713a4e94c6afdda02d4a4
-
SHA256
8eaa342d5aa2b44bbe85fb030b6e3f08701be8e2e0a973fe749ac2e2f64907a8
-
SHA512
54dd330f4e0dcc779a8fd4f1950270fdab281e50be170af1fb56c5b98f7d561caa18d5cdf485ccbe196aa771f2784287c12dc2891d7fa1aed3055a330cdccf49
Static task
static1
Behavioral task
behavioral1
Sample
0123987INMWN2987.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0123987INMWN2987.js
Resource
win10v2004-20220414-en
Malware Config
Extracted
warzonerat
blessed147.ddns.net:8472
Targets
-
-
Target
0123987INMWN2987.js
-
Size
297KB
-
MD5
ee4b83dc3501b10be35a258a19b6251f
-
SHA1
8a8036bdfbf85a9c08a713a4e94c6afdda02d4a4
-
SHA256
8eaa342d5aa2b44bbe85fb030b6e3f08701be8e2e0a973fe749ac2e2f64907a8
-
SHA512
54dd330f4e0dcc779a8fd4f1950270fdab281e50be170af1fb56c5b98f7d561caa18d5cdf485ccbe196aa771f2784287c12dc2891d7fa1aed3055a330cdccf49
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-