General
-
Target
Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr
-
Size
1.8MB
-
Sample
230128-x79sqsga33
-
MD5
e9c7c1618703c0a089195fcf12ff572a
-
SHA1
d484e95c67866254562b534169bbc4e8ca8aa759
-
SHA256
ad44f81905413748eaab45e02235be449046433f2acf0edc8bdc0f5d73fca77a
-
SHA512
976b7669a32eaa57d78f21341287111eb4602f018d74075ec57a9347c892af200784c5ad14d8e5bb536d8c16c735092e110f11dae6eaac502b093d176a10bb64
-
SSDEEP
49152:nfU0nviMsLVdf2Hc5HxK0Es0WLw2ifBJ6Zy:nfHKzLzf2QAJrf0y
Static task
static1
Behavioral task
behavioral1
Sample
Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr
Resource
win10v2004-20220812-en
Malware Config
Extracted
darkcomet
New-July-July4-01
dgorijan20785.hopto.org:35800
DC_MUTEX-N3AV3EU
-
gencode
sGSTFQ1pY1TB
-
install
false
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
false
Extracted
asyncrat
0.5.6A
45.74.4.244:6606
45.74.4.244:7707
45.74.4.244:8808
servtle284
-
delay
5
-
install
true
-
install_file
wintskl.exe
-
install_folder
%AppData%
Extracted
warzonerat
dgorijan20785.hopto.org:5199
45.74.4.244:5199
Extracted
darkcomet
New-July-July4-0
45.74.4.244:35800
DC_MUTEX-RT27KF0
-
gencode
cKUHbX2GsGhs
-
install
false
-
offline_keylogger
true
-
password
hhhhhh
-
persistence
false
Targets
-
-
Target
Private_Key_17GbKcfZiM6EFW86fhgTAoN7TfBcdmW4d6.scr
-
Size
1.8MB
-
MD5
e9c7c1618703c0a089195fcf12ff572a
-
SHA1
d484e95c67866254562b534169bbc4e8ca8aa759
-
SHA256
ad44f81905413748eaab45e02235be449046433f2acf0edc8bdc0f5d73fca77a
-
SHA512
976b7669a32eaa57d78f21341287111eb4602f018d74075ec57a9347c892af200784c5ad14d8e5bb536d8c16c735092e110f11dae6eaac502b093d176a10bb64
-
SSDEEP
49152:nfU0nviMsLVdf2Hc5HxK0Es0WLw2ifBJ6Zy:nfHKzLzf2QAJrf0y
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload
-
Warzone RAT payload
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-