General
-
Target
DHL AWB-5024310182061023.exe
-
Size
803KB
-
Sample
230328-hqcpcabc3x
-
MD5
61f8c53e08e9c12e4d7165fa02ecc3cf
-
SHA1
20e127b70df0d0cd4ded053f8f942c21fdaa14da
-
SHA256
c2ea82e013d071b92727a34296c5f5aac06c125a1f2c56917af8ebc06ac6183e
-
SHA512
a516e4abd675ff1629197a429770795f4688c63b5cc50785d925ac71a367d615bcc0ffe45241dc8fd91c5db2570f697b909fccb8ef752d86460f5cf244567233
-
SSDEEP
12288:x2swnFTt7oRDoKgphGvVgKRZ1Eb6IZ1nszTgAJ+fMZu643VaxBP8:x2hVoUphGtgKREbpZ1CEAJ+fyuS
Static task
static1
Behavioral task
behavioral1
Sample
DHL AWB-5024310182061023.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
DHL AWB-5024310182061023.exe
Resource
win10v2004-20230221-en
Malware Config
Extracted
warzonerat
crossedward26.duckdns.org:36864
Targets
-
-
Target
DHL AWB-5024310182061023.exe
-
Size
803KB
-
MD5
61f8c53e08e9c12e4d7165fa02ecc3cf
-
SHA1
20e127b70df0d0cd4ded053f8f942c21fdaa14da
-
SHA256
c2ea82e013d071b92727a34296c5f5aac06c125a1f2c56917af8ebc06ac6183e
-
SHA512
a516e4abd675ff1629197a429770795f4688c63b5cc50785d925ac71a367d615bcc0ffe45241dc8fd91c5db2570f697b909fccb8ef752d86460f5cf244567233
-
SSDEEP
12288:x2swnFTt7oRDoKgphGvVgKRZ1Eb6IZ1nszTgAJ+fMZu643VaxBP8:x2hVoUphGtgKREbpZ1CEAJ+fyuS
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
ModiLoader Second Stage
-
Warzone RAT payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-