Overview

overview

10

Static

static

UPS Delivery Info.exe

windows7-x64

10

UPS Delivery Info.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    UPS Delivery Info.exe

  • Size

    665KB

  • Sample

    221115-te2pwaef28

  • MD5

    010233bc921206bf5f3cf343695520c8

  • SHA1

    6e5558813b1926d2e95173f532171ab4a095d117

  • SHA256

    fb98878de141d3a4a27e64c29ec0e8427e000c59e8d7018ed8e1faf3e69e4634

  • SHA512

    3727f5d0eb8e326f0ab6a980c491872573c550b1059258e41f420c179895f6c3ad2017a40092285a9286b33675c50519e471a2e33d3c8a37c454b10effa32194

  • SSDEEP

    12288:2B4XMgcpCYrN5HIgT+XbLFY6iWT7a/qmsFtw8674c21Rx:hICQdfT+YjWT/c8674c21b

Score
10/10
warzoneratevasioninfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

pastorcc.duckdns.org:2223

Targets

    • Target

      UPS Delivery Info.exe

    • Size

      665KB

    • MD5

      010233bc921206bf5f3cf343695520c8

    • SHA1

      6e5558813b1926d2e95173f532171ab4a095d117

    • SHA256

      fb98878de141d3a4a27e64c29ec0e8427e000c59e8d7018ed8e1faf3e69e4634

    • SHA512

      3727f5d0eb8e326f0ab6a980c491872573c550b1059258e41f420c179895f6c3ad2017a40092285a9286b33675c50519e471a2e33d3c8a37c454b10effa32194

    • SSDEEP

      12288:2B4XMgcpCYrN5HIgT+XbLFY6iWT7a/qmsFtw8674c21Rx:hICQdfT+YjWT/c8674c21b

    Score
    10/10
    warzoneratevasioninfostealerrat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks