Overview

overview

10

Static

static

3

Comprobant...go.xll

windows7-x64

7

Comprobant...go.xll

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    Comprobante_de_Pago.xll

  • Size

    1.0MB

  • Sample

    231210-t1c9eahdh4

  • MD5

    1510d19d22226ffb9ab6dcfbf512ac41

  • SHA1

    6e4bebe5acf2c235c82033a55b163b8950ba776a

  • SHA256

    07b2d2a8e07e42bd38499973d05b984cdcae3b00ee8ee91c793b0b4d3f7d5f1a

  • SHA512

    3ecb0ff44d32f7603a312b809d257b7905df7322bdec99ff7a56fe3666b46e3eb250ab3c817852a62b42702e6419deba0f64b0397922a0c20528866e7ba2d62a

  • SSDEEP

    24576:hoOOMX1r+QHT+d7FBDtvBw485bQ8cYvh/Um:hoOO++QHs/DtvHG087h/Um

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Language
xlm4.0
Source

Extracted

Family

warzonerat

C2

qoldwold.zanity.net:5202

Targets

    • Target

      Comprobante_de_Pago.xll

    • Size

      1.0MB

    • MD5

      1510d19d22226ffb9ab6dcfbf512ac41

    • SHA1

      6e4bebe5acf2c235c82033a55b163b8950ba776a

    • SHA256

      07b2d2a8e07e42bd38499973d05b984cdcae3b00ee8ee91c793b0b4d3f7d5f1a

    • SHA512

      3ecb0ff44d32f7603a312b809d257b7905df7322bdec99ff7a56fe3666b46e3eb250ab3c817852a62b42702e6419deba0f64b0397922a0c20528866e7ba2d62a

    • SSDEEP

      24576:hoOOMX1r+QHT+d7FBDtvBw485bQ8cYvh/Um:hoOO++QHs/DtvHG087h/Um

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT payload

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks