General
-
Target
fffddsfdsgfd.png
-
Size
82KB
-
Sample
240709-3gzgzasejn
-
MD5
d586f6d0e6532c1e30c420f7167856bd
-
SHA1
2b3cd081d870b29df1f6249f3f50d890321bb983
-
SHA256
21df242a377d7ddea14251178bb29a2300c8535eac6bdde541f910f709472223
-
SHA512
3f3dc9059bc45b0ff79ac586a8440a87879168ea5ba8f5d07279e99a072656a15ec6d4b7037dfdd3a1faafc087c982116085a902e057b064fef908098888bf5f
-
SSDEEP
1536:hpk3C1qszuBnQbxe/xRgGbFBH4dCOPEtp7VpRKYlkUTZMdFsiHyfc0Nz196:A3ASBQbxsfg8Fh4dC4WpXRV1ZiSkS96
Static task
static1
Behavioral task
behavioral1
Sample
fffddsfdsgfd.png
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
fffddsfdsgfd.png
Resource
win10v2004-20240709-en
Malware Config
Extracted
crimsonrat
185.136.161.124
Extracted
revengerat
Guest
0.tcp.ngrok.io:19521
RV_MUTEX
Extracted
warzonerat
168.61.222.215:5400
Targets
-
-
Target
fffddsfdsgfd.png
-
Size
82KB
-
MD5
d586f6d0e6532c1e30c420f7167856bd
-
SHA1
2b3cd081d870b29df1f6249f3f50d890321bb983
-
SHA256
21df242a377d7ddea14251178bb29a2300c8535eac6bdde541f910f709472223
-
SHA512
3f3dc9059bc45b0ff79ac586a8440a87879168ea5ba8f5d07279e99a072656a15ec6d4b7037dfdd3a1faafc087c982116085a902e057b064fef908098888bf5f
-
SSDEEP
1536:hpk3C1qszuBnQbxe/xRgGbFBH4dCOPEtp7VpRKYlkUTZMdFsiHyfc0Nz196:A3ASBQbxsfg8Fh4dC4WpXRV1ZiSkS96
-
CrimsonRAT main payload
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
RevengeRat Executable
-
Warzone RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1JavaScript
1Scheduled Task/Job
1Scheduled Task
1Scripting
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1