General
-
Target
PO_23509-23510.xls
-
Size
1.0MB
-
Sample
230329-jpmnlafc98
-
MD5
3ff60872925b136a4a02f9646b605df3
-
SHA1
9d2eec41446241b5dd654fad00062b92b0e8f340
-
SHA256
64832b9f03d64470940e7481e9adfb6fa728d8a822cc7c649f8e32eafa18125b
-
SHA512
9d6890cf25cdd1a67edffff1c4ee6605160e24aa8a3fb76a0add988f7fc2b8caa61b2062e333310eef0e1fc358af734974b1badd5072171dd4074048579c1388
-
SSDEEP
24576:jLKnSSMMednEoakAmmjmRakAmmjmu+MXUkfOt2222222222222222222222K27P:jLKRMLaaoeaao9+MXiB
Static task
static1
Behavioral task
behavioral1
Sample
PO_23509-23510.xls
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
PO_23509-23510.xls
Resource
win10v2004-20230220-en
Malware Config
Extracted
remcos
SixthClients
top.not2beabused01.xyz:1558
sub.not2beabused02.xyz:1558
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
appsync.exe
-
copy_folder
Appsync
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
Appsync
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Appsync-TYGH55
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Appsync
-
take_screenshot_option
true
-
take_screenshot_time
55
-
take_screenshot_title
mail;webmail;crypto;btc;ethereum;bitcoin;eth;outlook;foxmail;bank;email;compose;
Extracted
warzonerat
top.not2beabused01.xyz:1668
Targets
-
-
Target
PO_23509-23510.xls
-
Size
1.0MB
-
MD5
3ff60872925b136a4a02f9646b605df3
-
SHA1
9d2eec41446241b5dd654fad00062b92b0e8f340
-
SHA256
64832b9f03d64470940e7481e9adfb6fa728d8a822cc7c649f8e32eafa18125b
-
SHA512
9d6890cf25cdd1a67edffff1c4ee6605160e24aa8a3fb76a0add988f7fc2b8caa61b2062e333310eef0e1fc358af734974b1badd5072171dd4074048579c1388
-
SSDEEP
24576:jLKnSSMMednEoakAmmjmRakAmmjmu+MXUkfOt2222222222222222222222K27P:jLKRMLaaoeaao9+MXiB
-
Modifies WinLogon for persistence
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Warzone RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-