Extracted

• • Target

    ORDER883274777724884pdf.vbs

  • Size

    19KB

  • MD5

    7e2ef2525a8c587529e9b0dae21f3709

  • SHA1

    75e91eb1ecefa8ffa43b766ce5ef36df88c1887c

  • SHA256

    d7190b79fb6e5d8687b4189bd2fbebb275530fb80f89569770a4d6cec5e0061e

  • SHA512

    93b6dac71d4a59bdfc03b8c4ecc8795de1b8844c29cd5fcc4ee1f843df18cf60a7c62fd5a7d9c71c4fa9979e0e4768a6b6bf8abc1168aaccbdf187dd71075071

  • SSDEEP

    384:HhnrLUNd/atj/K3wSGkPJmxNSiMFpWrd2Wx3l4cgb1:HhnfrtjS3dGwW2wzxl4Pp

  Score

  10^/10

  executionwarzoneratcollectioncredential_accessdiscoveryinfostealerratspywarestealer

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Warzone RAT payload

    rat

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of SetThreadContext

  behavioral1behavioral2