General
-
Target
Approved PO - GF-A104-PO-060.exe
-
Size
879KB
-
Sample
221130-cqp2sacg5z
-
MD5
3c6e49db9ebf35e860a45cac78d9676e
-
SHA1
952c45b62ea3fe96418177055682b01904fcc238
-
SHA256
9c9b7deb6e3b6b7154fb858a101eb57d65b57e364840213823ce5c8e0be1653e
-
SHA512
9ccc7ebc6b2b4e6bf16a757797a5ccd112ea187d280278773df094cd05ad6b80b660f430d1b08eafa7ba101bb77deed33c6da507d2df10dc43f3c2981200834e
-
SSDEEP
24576:etHXTwz0bRreC/ctnNbnWnS/ronBocjc:etOoeCtSMnBNjc
Static task
static1
Behavioral task
behavioral1
Sample
Approved PO - GF-A104-PO-060.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Approved PO - GF-A104-PO-060.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
warzonerat
chexfotii.ddns.net:4545
Targets
-
-
Target
Approved PO - GF-A104-PO-060.exe
-
Size
879KB
-
MD5
3c6e49db9ebf35e860a45cac78d9676e
-
SHA1
952c45b62ea3fe96418177055682b01904fcc238
-
SHA256
9c9b7deb6e3b6b7154fb858a101eb57d65b57e364840213823ce5c8e0be1653e
-
SHA512
9ccc7ebc6b2b4e6bf16a757797a5ccd112ea187d280278773df094cd05ad6b80b660f430d1b08eafa7ba101bb77deed33c6da507d2df10dc43f3c2981200834e
-
SSDEEP
24576:etHXTwz0bRreC/ctnNbnWnS/ronBocjc:etOoeCtSMnBNjc
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
ModiLoader Second Stage
-
Warzone RAT payload
-
Sets DLL path for service in the registry
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies WinLogon
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-