General
-
Target
Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc
-
Size
216KB
-
Sample
220923-gx7bvsdcg6
-
MD5
9bc102ffb0930f5dee65bde8e0ba6d89
-
SHA1
37cac7507a6ad02a75d947a9bdfe115f2da8b71b
-
SHA256
959837140aee207e9fd845a030881f9430364d2df8088845f5828579420b1717
-
SHA512
acdb50e95c30e14b235a89ed4a86531a64c1c3246b3d65a116a80e64a6f9d061c7a2dc784b9942cf1beb5d7fbdd6302139347a490886386d54c0dc372404e0fd
-
SSDEEP
1536:9mDDRxjrfUG7NP0UlAD8KEmt09N/FUr1nvX+EEFZVzFz76mAg5eeVhMDw5wfLz:94F1lVzFtr5RDAw5wfP
Static task
static1
Behavioral task
behavioral1
Sample
Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.rtf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.rtf
Resource
win10v2004-20220812-en
Malware Config
Extracted
http://login.929389.ankura.us/AwOgYiWG/explorer.exe
Extracted
warzonerat
20.126.95.155:7800
Targets
-
-
Target
Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc
-
Size
216KB
-
MD5
9bc102ffb0930f5dee65bde8e0ba6d89
-
SHA1
37cac7507a6ad02a75d947a9bdfe115f2da8b71b
-
SHA256
959837140aee207e9fd845a030881f9430364d2df8088845f5828579420b1717
-
SHA512
acdb50e95c30e14b235a89ed4a86531a64c1c3246b3d65a116a80e64a6f9d061c7a2dc784b9942cf1beb5d7fbdd6302139347a490886386d54c0dc372404e0fd
-
SSDEEP
1536:9mDDRxjrfUG7NP0UlAD8KEmt09N/FUr1nvX+EEFZVzFz76mAg5eeVhMDw5wfLz:94F1lVzFtr5RDAw5wfP
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-