General
-
Target
Attachment route.pdf.exe
-
Size
296KB
-
Sample
230406-hcxscsbg69
-
MD5
e1ccc17de05a8ebedbbda1d4d2fec7c7
-
SHA1
09e36c331ef53fa7ca12345f2a02c1a020e7740d
-
SHA256
2f13778e9ae2e6c6b593c5615d88220cd441bdabe885ed3dd5bf9478ed823816
-
SHA512
c6b53a9fc43a97850684bb1254ad0769b1fd6c388ecb8a4c7f9b8a5a5954279c0ab6c3a7788419a6a1f583a7c7decfd99bf09d29c6daa2c7445abc9281933cda
-
SSDEEP
6144:ZzNJ3/iCc6TGAv3xCnvUy0O12udoEUAtKU2TI:1KCc6TDPxEswldEG2I
Malware Config
Extracted
warzonerat
crazydns.linkpc.net:55868
Targets
-
-
Target
Attachment route.pdf.exe
-
Size
296KB
-
MD5
e1ccc17de05a8ebedbbda1d4d2fec7c7
-
SHA1
09e36c331ef53fa7ca12345f2a02c1a020e7740d
-
SHA256
2f13778e9ae2e6c6b593c5615d88220cd441bdabe885ed3dd5bf9478ed823816
-
SHA512
c6b53a9fc43a97850684bb1254ad0769b1fd6c388ecb8a4c7f9b8a5a5954279c0ab6c3a7788419a6a1f583a7c7decfd99bf09d29c6daa2c7445abc9281933cda
-
SSDEEP
6144:ZzNJ3/iCc6TGAv3xCnvUy0O12udoEUAtKU2TI:1KCc6TDPxEswldEG2I
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-