General
-
Target
HAN HII PAYMENT-USD.doc
-
Size
70KB
-
Sample
240430-gd11qsec7w
-
MD5
1812b0ee6924f6188269c65494e580e8
-
SHA1
fc83f1d3acb53009cbaa7b9df57676274fc561a1
-
SHA256
7fb4306a36b61be977dfc6f56443542c9d70273bb97b55d5049cd86608aa0f68
-
SHA512
5432bbe2f3f54a1ddf8980ad1f34a684d0e7b17bd29cc059c3c20e798dfcab025d68a0b46776630c64b84c062a146e27c2f75f8de57e08f88b1ac8cfed1f8eff
-
SSDEEP
768:Dpwxw+tCmFeFahP8nmwyd04aCF+Fas0Mxw+tq:DSxrtCmFeFahP81CF+FasZxrt
Behavioral task
behavioral1
Sample
HAN HII PAYMENT-USD.doc
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
HAN HII PAYMENT-USD.doc
Resource
win10v2004-20240419-en
Malware Config
Extracted
warzonerat
45.137.22.105:4821
Targets
-
-
Target
HAN HII PAYMENT-USD.doc
-
Size
70KB
-
MD5
1812b0ee6924f6188269c65494e580e8
-
SHA1
fc83f1d3acb53009cbaa7b9df57676274fc561a1
-
SHA256
7fb4306a36b61be977dfc6f56443542c9d70273bb97b55d5049cd86608aa0f68
-
SHA512
5432bbe2f3f54a1ddf8980ad1f34a684d0e7b17bd29cc059c3c20e798dfcab025d68a0b46776630c64b84c062a146e27c2f75f8de57e08f88b1ac8cfed1f8eff
-
SSDEEP
768:Dpwxw+tCmFeFahP8nmwyd04aCF+Fas0Mxw+tq:DSxrtCmFeFahP81CF+FasZxrt
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-