General
-
Target
208fc4b1d051034e07f3c79c813a68be
-
Size
5.1MB
-
Sample
220927-e98pcadfcj
-
MD5
208fc4b1d051034e07f3c79c813a68be
-
SHA1
581c15ee8f6e0ed4d673c8e55331cf214fa38e6e
-
SHA256
37e5285ef075235abeed2a5bfbf0398cd49945e77842a8e45fba2e4dcf0c819e
-
SHA512
4fd853051a9a54dbbb539ce0a0614cb3520a582ee72f6edf99effc946e84f3d8c7d20a520f9c0dcf95c9548abf05bf424cea111e35bf28af3072a5f81b9c606a
-
SSDEEP
98304:LcOQNJyg0rU78RzjYmO/B1fiVm3crNBxNEH8gmbUzWA6ZHnWwpZ:bQDygMNzjYfBxiVm3CNM8g4ZZH
Malware Config
Extracted
warzonerat
sheet.duckdns.org:4110
Extracted
bitrat
1.38
sheet.duckdns.org:8471
-
communication_password
81dc9bdb52d04dc20036dbd8313ed055
-
install_dir
Install path
-
install_file
Install name
-
tor_process
tor
Targets
-
-
Target
208fc4b1d051034e07f3c79c813a68be
-
Size
5.1MB
-
MD5
208fc4b1d051034e07f3c79c813a68be
-
SHA1
581c15ee8f6e0ed4d673c8e55331cf214fa38e6e
-
SHA256
37e5285ef075235abeed2a5bfbf0398cd49945e77842a8e45fba2e4dcf0c819e
-
SHA512
4fd853051a9a54dbbb539ce0a0614cb3520a582ee72f6edf99effc946e84f3d8c7d20a520f9c0dcf95c9548abf05bf424cea111e35bf28af3072a5f81b9c606a
-
SSDEEP
98304:LcOQNJyg0rU78RzjYmO/B1fiVm3crNBxNEH8gmbUzWA6ZHnWwpZ:bQDygMNzjYfBxiVm3CNM8g4ZZH
Score10/10-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-