General
-
Target
OM PO(s) # 32749219-21.exe
-
Size
805KB
-
Sample
230420-jlyxfsad41
-
MD5
d3876665ddfbe8c1fbafc916fbaf9551
-
SHA1
421e61bf617367290a652cb3b29e1b8c7305e4a9
-
SHA256
552685bd9d5668183267fa60f76af8584611e11d439085d660ae54147ca5f355
-
SHA512
39d032c2502b02019057e0b55242ad3b93408006579fe0a765a1fe7d42b283675ea7650348a58b63561741b60f640c515d6ea674422fe7fca8422eba246b920e
-
SSDEEP
12288:Jwkt7fpbG7q2VrwFup9bAoxJHdDlvKRGXBveIcQgYRmfD+fJOAIW4Wh:JwkNnG/Pxxhp0MxmIcQg7DyF4Wh
Static task
static1
Behavioral task
behavioral1
Sample
OM PO(s) # 32749219-21.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
OM PO(s) # 32749219-21.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
warzonerat
nightmare4666.ddns.net:3443
Targets
-
-
Target
OM PO(s) # 32749219-21.exe
-
Size
805KB
-
MD5
d3876665ddfbe8c1fbafc916fbaf9551
-
SHA1
421e61bf617367290a652cb3b29e1b8c7305e4a9
-
SHA256
552685bd9d5668183267fa60f76af8584611e11d439085d660ae54147ca5f355
-
SHA512
39d032c2502b02019057e0b55242ad3b93408006579fe0a765a1fe7d42b283675ea7650348a58b63561741b60f640c515d6ea674422fe7fca8422eba246b920e
-
SSDEEP
12288:Jwkt7fpbG7q2VrwFup9bAoxJHdDlvKRGXBveIcQgYRmfD+fJOAIW4Wh:JwkNnG/Pxxhp0MxmIcQg7DyF4Wh
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
ModiLoader Second Stage
-
Warzone RAT payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-