General
-
Target
6312ac3b9f220b842da25dfee009d759376b0ca548649cabe9b20e7b92dace6c
-
Size
1.1MB
-
Sample
240417-ca8tysae78
-
MD5
37b4693e5dceb0a0947d0e4689d8528f
-
SHA1
97aed497245e2877266c1db478b2ef027a85cad4
-
SHA256
6312ac3b9f220b842da25dfee009d759376b0ca548649cabe9b20e7b92dace6c
-
SHA512
09cc9faa81a0e9b7281857d249ad4a94dd126a820f5480ee9b8b080ff2ed45756a97786ae70f921c73b68029c39096f0d06c11d23dfc1d10305df7824d26700e
-
SSDEEP
24576:0JIq+wADGZYx4t/yVrQ9JO85sfip46OV/b7Ddjv:eNAXCSfs8V/b7Bjv
Static task
static1
Behavioral task
behavioral1
Sample
6312ac3b9f220b842da25dfee009d759376b0ca548649cabe9b20e7b92dace6c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6312ac3b9f220b842da25dfee009d759376b0ca548649cabe9b20e7b92dace6c.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
warzonerat
halal.home-webserver.de:3109
Extracted
agenttesla
https://api.telegram.org/bot7151978883:AAFh5gnUgBpu9wRKc_YthxJJLRhGesQQvHI/
Targets
-
-
Target
6312ac3b9f220b842da25dfee009d759376b0ca548649cabe9b20e7b92dace6c
-
Size
1.1MB
-
MD5
37b4693e5dceb0a0947d0e4689d8528f
-
SHA1
97aed497245e2877266c1db478b2ef027a85cad4
-
SHA256
6312ac3b9f220b842da25dfee009d759376b0ca548649cabe9b20e7b92dace6c
-
SHA512
09cc9faa81a0e9b7281857d249ad4a94dd126a820f5480ee9b8b080ff2ed45756a97786ae70f921c73b68029c39096f0d06c11d23dfc1d10305df7824d26700e
-
SSDEEP
24576:0JIq+wADGZYx4t/yVrQ9JO85sfip46OV/b7Ddjv:eNAXCSfs8V/b7Bjv
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
ModiLoader Second Stage
-
Warzone RAT payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-