General
-
Target
16569830230.zip
-
Size
103.1MB
-
Sample
240412-bssp1sbb53
-
MD5
00959cbf5b11cb825b6cb074d9dc6327
-
SHA1
1732054e14929b874ee0e7ea86ed411f87e58504
-
SHA256
40c5ac0fe49c8df1fcd334c72c4a8f75cc96a0a93e84f569cfb88589ef2b8134
-
SHA512
8e143fd7dd89dd2e1384ceec524b02c753d58d055cdf8849e79b786a1149834877949fc5cb29ec1418d2c8ad886fc79f19c07ff8abf9d6abd2824f1aaf087b42
-
SSDEEP
3145728:qyehDLbdHZ2PqW8tdoefxOADd6PClRYyeCe:qyghhFfVDmUUd
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE_LA_PDF.LNK.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
INVOICE_LA_PDF.LNK.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Tier1.pdf
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
Tier1.pdf
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
g2m.dll
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
g2m.dll
Resource
win10v2004-20240226-en
Malware Config
Extracted
warzonerat
l34d3r.duckdns.org:4047
Targets
-
-
Target
INVOICE_LA_PDF.LNK.exe
-
Size
39KB
-
MD5
f1b14f71252de9ac763dbfbfbfc8c2dc
-
SHA1
dcc2dcb26c1649887f1d5ae557a000b5fe34bb98
-
SHA256
796ea1d27ed5825e300c3c9505a87b2445886623235f3e41258de90ba1604cd5
-
SHA512
636a32fb8a88a542783aa57fe047b6bca47b2bd23b41b3902671c4e9036c6dbb97576be27fd2395a988653e6b63714277873e077519b4a06cdc5f63d3c4224e0
-
SSDEEP
768:YRQnUhG5bZDOTpkdD82YbQkRFokFWIILPUh:FWObZDOTpk5T6zqAh
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
Tier1.pdof
-
Size
102.1MB
-
MD5
db0521bd7e4b9fc803f9a900212eea02
-
SHA1
6c86b49b4c1e3ebcecd5376166bfe3bda6a141fa
-
SHA256
e95ce4146e3ffe7d5fde36340c01889f7634d6f91b92fbae1606bef9cb4a7cfb
-
SHA512
22d219dac43bd3200e666ef7e554584b0fd43c57c0a6dd7888dc80f71a9b5e73ba48400607205a4f1680af0ccaa197fdb1add05fc7f698e9246fe00a6a49080f
-
SSDEEP
3145728:96lH+byk0ZggBznCh2HCea5bQ92NmDVr9XqnZGWpg:M
Score1/10 -
-
-
Target
g2m.dll
-
Size
14.7MB
-
MD5
e74edf0e25243707b521025e35581273
-
SHA1
61037e709b30fab28f52de0d6489f3f3433c7146
-
SHA256
3d7c57fd5e035b159d4f1460989924756a725db772787cf8ad67d543c510fe54
-
SHA512
8393134d5cf9512011ef6d309918810db7242605696ca6485d6c5054871ddec7bf243b52f0994e1484254818cc012b99c87eb0810fc46c0c0e9e8ca9d7d1faed
-
SSDEEP
196608:10ivGTAslgbSYBsnBho/wnBvq+4rMOblxz6qYFS1qY2aubxi58/EUxFFVsqEY:1zvfaEog+4rdbUTFVdEY
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-