General
-
Target
Invoice # W0005588 deposit receipt.exe
-
Size
1.3MB
-
Sample
230207-dwbl1scd4s
-
MD5
a4e060ebd5bb75b17e61e711c97b8ec0
-
SHA1
1b4ae0ef24fb82fdda481a556ee48b158b7232aa
-
SHA256
0c904d84b3edcea793d00182f0a98d0d39ece6920fa6d685b1dbf26d9cce054e
-
SHA512
5d2327c62f3124c7f4495e4332ca7b9631c7d533796338a02c97c1d3e0c9169446010ae7069029e285046d5b4fb7dde4df662111bdd1060835b01341e1204754
-
SSDEEP
12288:GHs3k6pbTKiiEuuSl34BMtWTUagOOM7PUEUz6EZKuo0HHCCCBjsBkp:es3k6pbThoW4agOOM7UP2rj6k
Static task
static1
Behavioral task
behavioral1
Sample
Invoice # W0005588 deposit receipt.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Invoice # W0005588 deposit receipt.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5531971933:AAG8JA2N30pvOArb-NFK-vqpR7T6tJAugJ4/sendMessage?chat_id=5566800623
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
Invoice # W0005588 deposit receipt.exe
-
Size
1.3MB
-
MD5
a4e060ebd5bb75b17e61e711c97b8ec0
-
SHA1
1b4ae0ef24fb82fdda481a556ee48b158b7232aa
-
SHA256
0c904d84b3edcea793d00182f0a98d0d39ece6920fa6d685b1dbf26d9cce054e
-
SHA512
5d2327c62f3124c7f4495e4332ca7b9631c7d533796338a02c97c1d3e0c9169446010ae7069029e285046d5b4fb7dde4df662111bdd1060835b01341e1204754
-
SSDEEP
12288:GHs3k6pbTKiiEuuSl34BMtWTUagOOM7PUEUz6EZKuo0HHCCCBjsBkp:es3k6pbThoW4agOOM7UP2rj6k
-
StormKitty payload
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-