General
-
Target
Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe
-
Size
1.1MB
-
Sample
220802-r9vtpshcck
-
MD5
3506f47af9280b0cee32f9bc9319b461
-
SHA1
23c228520bd16733e7cc54fbf1f4bc48b897a2d9
-
SHA256
9d2a6a4d069a3d2ad99a117b411facbc86de0102a65bf5027c6b0f7dd0ae9014
-
SHA512
e6bd29c8c884a570fc295ac426f0818657dad7bea68023ccff0c7292fd2af71a13e0edc788186651fdc40a5bcd040b6adac61be27058ed4dcfefafeb89dd73a9
Static task
static1
Behavioral task
behavioral1
Sample
Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe
Resource
win10v2004-20220722-en
Malware Config
Extracted
warzonerat
pentester01.duckdns.org:53078
Targets
-
-
Target
Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe
-
Size
1.1MB
-
MD5
3506f47af9280b0cee32f9bc9319b461
-
SHA1
23c228520bd16733e7cc54fbf1f4bc48b897a2d9
-
SHA256
9d2a6a4d069a3d2ad99a117b411facbc86de0102a65bf5027c6b0f7dd0ae9014
-
SHA512
e6bd29c8c884a570fc295ac426f0818657dad7bea68023ccff0c7292fd2af71a13e0edc788186651fdc40a5bcd040b6adac61be27058ed4dcfefafeb89dd73a9
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
ModiLoader Second Stage
-
Warzone RAT payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-