General
-
Target
CompanyProfile.vbs
-
Size
413KB
-
Sample
240917-h4d5bs1bkd
-
MD5
110831ca8aa326ecd1e0c364adc7062a
-
SHA1
34c36ce57105514fa8a0db8ef82aec5db6bd7d34
-
SHA256
a5bf9d0f1895c9eb988d0d946ccf5022f73b68005450414ddbfdb36a053e4fc0
-
SHA512
bdd4fef931fd404f450e117b63fbbe47abc71953cee3d4e414643ec19e657ee3efd43df79b0a95fcc4254b5e4bea624b0dce5cb3839a038a20a9cfb86ffcfdf2
-
SSDEEP
3072:1HGYwftYFGhNe4VTdRnTT8w4TWxHqQYDgbppvicsKS7pEXGRTLYJeP0rkNyt:NwftYFgHqQD
Static task
static1
Behavioral task
behavioral1
Sample
CompanyProfile.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
CompanyProfile.vbs
Resource
win10v2004-20240910-en
Malware Config
Extracted
warzonerat
109.248.151.156:2048
Targets
-
-
Target
CompanyProfile.vbs
-
Size
413KB
-
MD5
110831ca8aa326ecd1e0c364adc7062a
-
SHA1
34c36ce57105514fa8a0db8ef82aec5db6bd7d34
-
SHA256
a5bf9d0f1895c9eb988d0d946ccf5022f73b68005450414ddbfdb36a053e4fc0
-
SHA512
bdd4fef931fd404f450e117b63fbbe47abc71953cee3d4e414643ec19e657ee3efd43df79b0a95fcc4254b5e4bea624b0dce5cb3839a038a20a9cfb86ffcfdf2
-
SSDEEP
3072:1HGYwftYFGhNe4VTdRnTT8w4TWxHqQYDgbppvicsKS7pEXGRTLYJeP0rkNyt:NwftYFgHqQD
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Warzone RAT payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-