General
-
Target
2877bf056524695a30300cc6f5469202538727e8003ea14e8d13480a59600171
-
Size
7.4MB
-
Sample
220624-2l3jrafghr
-
MD5
4ad1b0398bc3a371a82923383de2d0a4
-
SHA1
9f977029800b4328dc752741156a6a0e5f6fa109
-
SHA256
2877bf056524695a30300cc6f5469202538727e8003ea14e8d13480a59600171
-
SHA512
469300fef819aebfe9dbeacf05f60eb509e31abaef0f596575107c69fbe56f0a95ac92135256e98c21c2e2c027fe2d12e1a5d8c402b59a758fea42fba671618b
Static task
static1
Behavioral task
behavioral1
Sample
2877bf056524695a30300cc6f5469202538727e8003ea14e8d13480a59600171.exe
Resource
win7-20220414-en
Malware Config
Extracted
remcos
1.7 Pro
Host
seasons444.ddns.net:8128
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
window
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Office_vgqkluqlnw
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
- take_screenshot_title
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
limerat
1BVfdhbuDbDuMXWErhTv8XwgwYP1K34oTD
-
aes_key
MAXS20
-
antivm
false
-
c2_url
https://pastebin.com/raw/vnPLhhBH
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Extracted
warzonerat
cornerload.dynu.net:5500
Targets
-
-
Target
2877bf056524695a30300cc6f5469202538727e8003ea14e8d13480a59600171
-
Size
7.4MB
-
MD5
4ad1b0398bc3a371a82923383de2d0a4
-
SHA1
9f977029800b4328dc752741156a6a0e5f6fa109
-
SHA256
2877bf056524695a30300cc6f5469202538727e8003ea14e8d13480a59600171
-
SHA512
469300fef819aebfe9dbeacf05f60eb509e31abaef0f596575107c69fbe56f0a95ac92135256e98c21c2e2c027fe2d12e1a5d8c402b59a758fea42fba671618b
-
Modifies firewall policy service
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Suspicious use of SetThreadContext
-