General
-
Target
c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9
-
Size
552B
-
Sample
230227-f8s3yabg8t
-
MD5
e4e334efd3ed0f23499a75127e2662aa
-
SHA1
7e460968dcbc7ddc8b8c6ede94798e54fbfc5e63
-
SHA256
c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9
-
SHA512
75d26061e143542f13a05839b054aaaac2146b5ea79bcf94b587169e822f27c525a8cf30f39e3048d5249346adacbeb2695a45a68e0bee48fdd2035ed068ade8
Static task
static1
Behavioral task
behavioral1
Sample
c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9.ps1
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9.ps1
Resource
win10-20230220-en
Malware Config
Extracted
http://79.110.62.167/link/agent.exe
Extracted
remcos
N
173.212.217.108:1050
zab4ever.no-ip.org:1050
1zab4ever.no-ip.org:1050
1zab4ever.duckdns.org:1050
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
svhost.exe
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%WinDir%
-
keylog_crypt
false
-
keylog_file
psibos.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
hgfjioupsc-UDD5UN
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Windows VHost
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Targets
-
-
Target
c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9
-
Size
552B
-
MD5
e4e334efd3ed0f23499a75127e2662aa
-
SHA1
7e460968dcbc7ddc8b8c6ede94798e54fbfc5e63
-
SHA256
c6bf32612e9edda0f05636131ee97f6d651a252fe31858d01baa8c402dadf7e9
-
SHA512
75d26061e143542f13a05839b054aaaac2146b5ea79bcf94b587169e822f27c525a8cf30f39e3048d5249346adacbeb2695a45a68e0bee48fdd2035ed068ade8
-
Detects Smokeloader packer
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-