General
-
Target
doc02606820230327115145 Our Ref S3831841.tar.gz
-
Size
389KB
-
Sample
230329-n8lb4ahg7s
-
MD5
26fbae333dbe2b73fe888cd5c45f3e40
-
SHA1
1363933700a44b0e189496c477564e1423fe0701
-
SHA256
30baf76c75886adb9c86b28ec69b3ea6731620a4e5e4e04314feaa94eaff1036
-
SHA512
dd406e98b8215a18450a86ead588ca1726b1001aacdd9b44d9084ad05f4c69876d367d6b5327e3b7206904cbd2ba57a0000a4c1ea2dccc6160ab050d12e5fc85
-
SSDEEP
6144:bmHvQB8DpYK1Nk2dNE+c044/iqSr16fK4dfZcL0EO0T/axR3cAsffDBXQ+QL/LjZ:bmPG5y/iqSZAZcAEO02Lc7HDm+M/NH
Static task
static1
Behavioral task
behavioral1
Sample
doc02606820230327115145 Our Ref S3831841.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
doc02606820230327115145 Our Ref S3831841.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
warzonerat
peggyboo.duckdns.org:4545
Targets
-
-
Target
doc02606820230327115145 Our Ref S3831841.exe
-
Size
958KB
-
MD5
8f9d3374b5f90a844d8d0b0f61492d4a
-
SHA1
c24902da8cda61f97fc37cc2c8786c4013731a37
-
SHA256
1f4d869399d9b218e7d9dd738129fdcff54c50c12f58a76772767fe272ce4c44
-
SHA512
2e1183792d31b45b55429739f05b70660120c6e9a5d795fa538fcd0cbaab1913fb47720d499977d58a64200127e18acb1ca824ed219636cd8bdede73b4cef3d4
-
SSDEEP
12288:CYcH/Ym8m40U1g6LfYdOKMhhLm733R3VoctIRy3+AhSsKySOVgA0klqUM5Zh:CRgkwg6LfYdShiDtuUP3l75ShklqXh
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
ModiLoader Second Stage
-
Warzone RAT payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-