General
-
Target
4b6cc04ec52357c0483d142018e4bd0535581912d5cb2b12e34dd71ed3f43dd0.exe
-
Size
1.0MB
-
Sample
221208-pwrh1sda3t
-
MD5
6ba9e47323d73f463b7ff58e074e6336
-
SHA1
cc1f04e4805756e698f9c81205b975cb5452d858
-
SHA256
4b6cc04ec52357c0483d142018e4bd0535581912d5cb2b12e34dd71ed3f43dd0
-
SHA512
608559edaf6256530832cbcf95e69a932499c6597384d9ce7b7756c0073eabf3df5ead2ba2548710ee5138de27434ae31424614afd34e2976c039e55f26633a4
-
SSDEEP
24576:M1ZIJHZxeAaa3RSGKzsozvq5oOqLM2xl/f:M1ZIEoQq5c/
Static task
static1
Behavioral task
behavioral1
Sample
4b6cc04ec52357c0483d142018e4bd0535581912d5cb2b12e34dd71ed3f43dd0.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
4b6cc04ec52357c0483d142018e4bd0535581912d5cb2b12e34dd71ed3f43dd0.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1G6Bhh3ATcd3XGLeNSU7NvohuVsf0-dBL
Extracted
warzonerat
chexfotii.ddns.net:4545
Targets
-
-
Target
4b6cc04ec52357c0483d142018e4bd0535581912d5cb2b12e34dd71ed3f43dd0.exe
-
Size
1.0MB
-
MD5
6ba9e47323d73f463b7ff58e074e6336
-
SHA1
cc1f04e4805756e698f9c81205b975cb5452d858
-
SHA256
4b6cc04ec52357c0483d142018e4bd0535581912d5cb2b12e34dd71ed3f43dd0
-
SHA512
608559edaf6256530832cbcf95e69a932499c6597384d9ce7b7756c0073eabf3df5ead2ba2548710ee5138de27434ae31424614afd34e2976c039e55f26633a4
-
SSDEEP
24576:M1ZIJHZxeAaa3RSGKzsozvq5oOqLM2xl/f:M1ZIEoQq5c/
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
ModiLoader Second Stage
-
Warzone RAT payload
-
Blocklisted process makes network request
-
Sets DLL path for service in the registry
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies WinLogon
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-