General
-
Target
ef520dd1c4f60b215ada787cd507ba5e72933a04eba01c9cd81496860de5bf0f
-
Size
2.1MB
-
Sample
221130-zja1lsgb8z
-
MD5
da10ff1e72683c714b10987686b9d695
-
SHA1
4990862369970af40430125e4cf3376fc8ea33cf
-
SHA256
ef520dd1c4f60b215ada787cd507ba5e72933a04eba01c9cd81496860de5bf0f
-
SHA512
f124430db1e6e85a1137a3eba5ae8b3823b264c1bbccc93ccbac738ab5bd45aac7dc46fa97f1b62421c0ab0d3ed46b9d0cb5cbb3ff44eea7c756a813e7bdde63
-
SSDEEP
49152:41TJDnj5Bf7ZRw8BxsqGg/FoK02W643x9HTQp:CTJbNBfjwisqGg/vm6efHTQ
Static task
static1
Behavioral task
behavioral1
Sample
ef520dd1c4f60b215ada787cd507ba5e72933a04eba01c9cd81496860de5bf0f.exe
Resource
win10-20220812-en
Malware Config
Extracted
remcos
PeterObi2023
76.8.53.133:1198
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
sdfge.exe
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
fghoiuytr.dat
-
keylog_flag
false
-
mouse_option
false
-
mutex
fghjcvbn-UURPOS
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
dfghrtyu
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
remcos
IYKE
76.8.53.133:1198
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
explorer.exe
-
copy_folder
machines
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
true
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
12345MEEE
-
mouse_option
false
-
mutex
12345MEEE-NS9UK1
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
explorer
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
warzonerat
76.8.53.133:1198
Targets
-
-
Target
ef520dd1c4f60b215ada787cd507ba5e72933a04eba01c9cd81496860de5bf0f
-
Size
2.1MB
-
MD5
da10ff1e72683c714b10987686b9d695
-
SHA1
4990862369970af40430125e4cf3376fc8ea33cf
-
SHA256
ef520dd1c4f60b215ada787cd507ba5e72933a04eba01c9cd81496860de5bf0f
-
SHA512
f124430db1e6e85a1137a3eba5ae8b3823b264c1bbccc93ccbac738ab5bd45aac7dc46fa97f1b62421c0ab0d3ed46b9d0cb5cbb3ff44eea7c756a813e7bdde63
-
SSDEEP
49152:41TJDnj5Bf7ZRw8BxsqGg/FoK02W643x9HTQp:CTJbNBfjwisqGg/vm6efHTQ
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-