General
-
Target
0123987INMWN2987.js
-
Size
297KB
-
Sample
220615-p2gwrsfcar
-
MD5
ee4b83dc3501b10be35a258a19b6251f
-
SHA1
8a8036bdfbf85a9c08a713a4e94c6afdda02d4a4
-
SHA256
8eaa342d5aa2b44bbe85fb030b6e3f08701be8e2e0a973fe749ac2e2f64907a8
-
SHA512
54dd330f4e0dcc779a8fd4f1950270fdab281e50be170af1fb56c5b98f7d561caa18d5cdf485ccbe196aa771f2784287c12dc2891d7fa1aed3055a330cdccf49
Malware Config
Extracted
warzonerat
blessed147.ddns.net:8472
Targets
-
-
Target
0123987INMWN2987.js
-
Size
297KB
-
MD5
ee4b83dc3501b10be35a258a19b6251f
-
SHA1
8a8036bdfbf85a9c08a713a4e94c6afdda02d4a4
-
SHA256
8eaa342d5aa2b44bbe85fb030b6e3f08701be8e2e0a973fe749ac2e2f64907a8
-
SHA512
54dd330f4e0dcc779a8fd4f1950270fdab281e50be170af1fb56c5b98f7d561caa18d5cdf485ccbe196aa771f2784287c12dc2891d7fa1aed3055a330cdccf49
Score10/10-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-