General
-
Target
CamScanner-Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.bin.zip
-
Size
501KB
-
Sample
220802-swmrlshegr
-
MD5
9622614e82c54aef575c6a133ca541c3
-
SHA1
9dc36cfbf5a2918383205cd8da874f15ce939fd2
-
SHA256
570bcfa9b64556d3229ed6616817cd5f1857a8b6e0a7a8f347a3c853a991e081
-
SHA512
d2ced13d2929da8b2bbf17455cd4cf5a764e32a382347c7d2331d87c7c14b6b1c3f8a92cae2eaf824c511eb183cdb74c1990f1b739a38ee881247f063d0e768f
Static task
static1
Behavioral task
behavioral1
Sample
CamScanner-Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
CamScanner-Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe
Resource
win10v2004-20220721-en
Malware Config
Extracted
warzonerat
pentester01.duckdns.org:53078
Targets
-
-
Target
CamScanner-Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.bin
-
Size
943KB
-
MD5
6751cb0d76292c6f8a95ad189e3d466b
-
SHA1
f7d7019833509a4055d3003292bae60720072d20
-
SHA256
cd63a354530a4199f3819cb8a2dc1567bb98ed75f8a155d240304e42ea8bfbc9
-
SHA512
1372b333c5519174c9c36f8dae90dc41f97767d41521df97b0088cb504060233d96de028ec5b2f742704cd1baae8057faab9b7ce5a8874850b8740ef7b9ec8f9
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
ModiLoader Second Stage
-
Warzone RAT payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-