General
-
Target
f196c1d0c01eb81b4577d99f9702f66bb92834807f6aa1f9e03a702f4972569eN
-
Size
1.4MB
-
Sample
240919-2vbgmawann
-
MD5
6856ee9647aee7f39564cf1fa4b5eca0
-
SHA1
435c2af2aca0f77c7381ca83801c6a3bf2bb1a9f
-
SHA256
f196c1d0c01eb81b4577d99f9702f66bb92834807f6aa1f9e03a702f4972569e
-
SHA512
e0de3429ab218f8fa77247999a12464b6b0445afe0429592052039b1c2226eed7ab265f666f8ea390c53695fac63b732c52d531354775332520d22d57258b566
-
SSDEEP
24576:ru6J3xO0c+JY5UZ+XCHkGso6Fa720W4njUprvVcC1f2o5RRfgdWYR:Fo0c++OCokGs9Fa+rd1f26RNYR
Malware Config
Extracted
netwire
Wealthy2019.com.strangled.net:20190
wealthyme.ddns.net:20190
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
sunshineslisa
-
install_path
%AppData%\Imgburn\Host.exe
-
keylogger_dir
%AppData%\Logs\Imgburn\
-
lock_executable
false
-
offline_keylogger
true
-
password
sucess
-
registry_autorun
false
-
use_mutex
false
Extracted
warzonerat
wealth.warzonedns.com:5202
Targets
-
-
Target
f196c1d0c01eb81b4577d99f9702f66bb92834807f6aa1f9e03a702f4972569eN
-
Size
1.4MB
-
MD5
6856ee9647aee7f39564cf1fa4b5eca0
-
SHA1
435c2af2aca0f77c7381ca83801c6a3bf2bb1a9f
-
SHA256
f196c1d0c01eb81b4577d99f9702f66bb92834807f6aa1f9e03a702f4972569e
-
SHA512
e0de3429ab218f8fa77247999a12464b6b0445afe0429592052039b1c2226eed7ab265f666f8ea390c53695fac63b732c52d531354775332520d22d57258b566
-
SSDEEP
24576:ru6J3xO0c+JY5UZ+XCHkGso6Fa720W4njUprvVcC1f2o5RRfgdWYR:Fo0c++OCokGs9Fa+rd1f26RNYR
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-