General
-
Target
Fast-Tron-Miner.exe
-
Size
2.2MB
-
Sample
230112-e6931aba6s
-
MD5
e11f714458bb37d1110164c28a5796f1
-
SHA1
ed61ad0cb3a346b469a07cd20763d3f28a750102
-
SHA256
e40093ff2134c0c7ab3cbdb58575c8e892ed7e0af9fa9721c2777fbbe7e216fe
-
SHA512
e2b0ab25bc9b458321e06c2ad61d7938407c73d4c32b1a65ee466743a73bd3c392e93438675859d0eeb0877670e884f6cb71a935d6dfbf1ff898933a6000ae0b
-
SSDEEP
49152:TzeEP61UdA1RtpDlgwG20lx7xV+59phiYBF1h3tfK2ek0jg:y1UoRtpJg/lx7xY9phBF1ptC2ekM
Static task
static1
Behavioral task
behavioral1
Sample
Fast-Tron-Miner.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
darkcomet
New-July-July4-01
dgorijan20785.hopto.org:35800
DC_MUTEX-U4BEN1Z
-
gencode
8sAQdbHcGDto
-
install
false
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
false
Extracted
warzonerat
dgorijan20785.hopto.org:5199
45.74.4.244:5199
Extracted
asyncrat
0.5.6A
45.74.4.244:6606
45.74.4.244:7707
45.74.4.244:8808
servtle284
-
delay
5
-
install
true
-
install_file
wintskl.exe
-
install_folder
%AppData%
Extracted
darkcomet
New-July-July4-0
45.74.4.244:35800
DC_MUTEX-RT27KF0
-
gencode
cKUHbX2GsGhs
-
install
false
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
false
Targets
-
-
Target
Fast-Tron-Miner.exe
-
Size
2.2MB
-
MD5
e11f714458bb37d1110164c28a5796f1
-
SHA1
ed61ad0cb3a346b469a07cd20763d3f28a750102
-
SHA256
e40093ff2134c0c7ab3cbdb58575c8e892ed7e0af9fa9721c2777fbbe7e216fe
-
SHA512
e2b0ab25bc9b458321e06c2ad61d7938407c73d4c32b1a65ee466743a73bd3c392e93438675859d0eeb0877670e884f6cb71a935d6dfbf1ff898933a6000ae0b
-
SSDEEP
49152:TzeEP61UdA1RtpDlgwG20lx7xV+59phiYBF1h3tfK2ek0jg:y1UoRtpJg/lx7xY9phBF1ptC2ekM
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload
-
Warzone RAT payload
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-