General
-
Target
Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr
-
Size
1.7MB
-
Sample
230111-mwm5gsbh28
-
MD5
0af5c337082f7f3d9249ca5cdfd2d4ce
-
SHA1
aeb90df77e8fc06b9a42287cb277710e5305c9bc
-
SHA256
069da9838ffd1b21d13c0a1952608e29e64e7b40847ab3fb67e16cfd797ab834
-
SHA512
12e07a9e86bbad4b34b0a603f62396fae24746a7d349a7506a83d625da08fd0dd8fc6dea2d6828f62ccc8e13a3f885831cd65f0b4ed3e97368298f809270ee73
-
SSDEEP
49152:eafU0nviMsLVdf2Hc5HxK0Es0WLw2ifBJ6Qu:VfHKzLzf2QAJrfc
Static task
static1
Behavioral task
behavioral1
Sample
Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr
Resource
win10v2004-20221111-en
Malware Config
Extracted
darkcomet
New-July-July4-01
dgorijan20785.hopto.org:35800
DC_MUTEX-N3AV3EU
-
gencode
sGSTFQ1pY1TB
-
install
false
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
false
Extracted
warzonerat
45.74.4.244:5199
dgorijan20785.hopto.org:5199
Extracted
asyncrat
0.5.6A
45.74.4.244:6606
45.74.4.244:7707
45.74.4.244:8808
servtle284
-
delay
5
-
install
true
-
install_file
wintskl.exe
-
install_folder
%AppData%
Extracted
darkcomet
New-July-July4-0
45.74.4.244:35800
DC_MUTEX-RT27KF0
-
gencode
cKUHbX2GsGhs
-
install
false
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
false
Targets
-
-
Target
Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr
-
Size
1.7MB
-
MD5
0af5c337082f7f3d9249ca5cdfd2d4ce
-
SHA1
aeb90df77e8fc06b9a42287cb277710e5305c9bc
-
SHA256
069da9838ffd1b21d13c0a1952608e29e64e7b40847ab3fb67e16cfd797ab834
-
SHA512
12e07a9e86bbad4b34b0a603f62396fae24746a7d349a7506a83d625da08fd0dd8fc6dea2d6828f62ccc8e13a3f885831cd65f0b4ed3e97368298f809270ee73
-
SSDEEP
49152:eafU0nviMsLVdf2Hc5HxK0Es0WLw2ifBJ6Qu:VfHKzLzf2QAJrfc
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload
-
Warzone RAT payload
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-