General
-
Target
4b18f04f67d984f26bde939db2a8170c4971c25037bd34e97e0385345221211f
-
Size
1.7MB
-
Sample
221130-jyqfvabh42
-
MD5
98d3de1fee81076c174e89ee642e2d22
-
SHA1
9ef2b0f58167dd0ccbd4bcdc4e0f700d404e50d1
-
SHA256
4b18f04f67d984f26bde939db2a8170c4971c25037bd34e97e0385345221211f
-
SHA512
4e4d1035dc3e40923466d0f545fe3092cf6515819e2fdee5576b30535ad845619001178cea73fb574fea47cd7260ff272e88d6e79d9da6ef52a6c9162d231c0d
-
SSDEEP
49152:CXa5RpUssYwBGfmwDwDjn/ugZqRiEjwO4MprC:U4a9nwDwDTdZq8pMp
Static task
static1
Behavioral task
behavioral1
Sample
4b18f04f67d984f26bde939db2a8170c4971c25037bd34e97e0385345221211f.exe
Resource
win10-20220812-en
Malware Config
Extracted
remcos
PeterObi2023
76.8.53.133:1198
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
sdfge.exe
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
fghoiuytr.dat
-
keylog_flag
false
-
mouse_option
false
-
mutex
fghjcvbn-UURPOS
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
dfghrtyu
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
remcos
IYKE
76.8.53.133:1198
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
explorer.exe
-
copy_folder
machines
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
true
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
12345MEEE
-
mouse_option
false
-
mutex
12345MEEE-NS9UK1
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
explorer
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
warzonerat
76.8.53.133:1198
Targets
-
-
Target
4b18f04f67d984f26bde939db2a8170c4971c25037bd34e97e0385345221211f
-
Size
1.7MB
-
MD5
98d3de1fee81076c174e89ee642e2d22
-
SHA1
9ef2b0f58167dd0ccbd4bcdc4e0f700d404e50d1
-
SHA256
4b18f04f67d984f26bde939db2a8170c4971c25037bd34e97e0385345221211f
-
SHA512
4e4d1035dc3e40923466d0f545fe3092cf6515819e2fdee5576b30535ad845619001178cea73fb574fea47cd7260ff272e88d6e79d9da6ef52a6c9162d231c0d
-
SSDEEP
49152:CXa5RpUssYwBGfmwDwDjn/ugZqRiEjwO4MprC:U4a9nwDwDTdZq8pMp
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-