General
-
Target
c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
-
Size
1.4MB
-
Sample
250216-ls8fksskfv
-
MD5
7cff06b4a33edeb72d5670a73a262a99
-
SHA1
3a045965116f8389e265efab24bb2bb1f924df1f
-
SHA256
c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def
-
SHA512
06c3568f642a36324fa5a29e32399a54013a4982601bb94dc748ea90b03034e21e0bcab966f335bbc52214a0a0b9ce46c0cb2561a53a26244ab8e2d048ab0ff5
-
SSDEEP
24576:ru6J3xO0c+JY5UZ+XCHkGso6Fa720W4njUprvVcC1f2o5RRfgdWYQ:Fo0c++OCokGs9Fa+rd1f26RNYQ
Behavioral task
behavioral1
Sample
c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
Resource
win10v2004-20250211-en
Malware Config
Extracted
netwire
Wealthy2019.com.strangled.net:20190
wealthyme.ddns.net:20190
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
sunshineslisa
-
install_path
%AppData%\Imgburn\Host.exe
-
keylogger_dir
%AppData%\Logs\Imgburn\
-
lock_executable
false
-
offline_keylogger
true
-
password
sucess
-
registry_autorun
false
-
use_mutex
false
Extracted
warzonerat
wealth.warzonedns.com:5202
Targets
-
-
Target
c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
-
Size
1.4MB
-
MD5
7cff06b4a33edeb72d5670a73a262a99
-
SHA1
3a045965116f8389e265efab24bb2bb1f924df1f
-
SHA256
c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def
-
SHA512
06c3568f642a36324fa5a29e32399a54013a4982601bb94dc748ea90b03034e21e0bcab966f335bbc52214a0a0b9ce46c0cb2561a53a26244ab8e2d048ab0ff5
-
SSDEEP
24576:ru6J3xO0c+JY5UZ+XCHkGso6Fa720W4njUprvVcC1f2o5RRfgdWYQ:Fo0c++OCokGs9Fa+rd1f26RNYQ
-
NetWire RAT payload
-
Netwire family
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Warzone RAT payload
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1