General
-
Target
catalogue_2021_samples_list_revise_ol.doc
-
Size
535KB
-
Sample
210928-lbx9aabeaq
-
MD5
84c45c2b0e94b8d1d064e739150ba84c
-
SHA1
f6a98ac4e50a89495626b5eaebb85d1116554faa
-
SHA256
7b5572ae246bcd3f6ee0375e1e7a8c8d4287dae4ca1803d72ae427d8ecc93a32
-
SHA512
8fb31fc4147af9e1568c9799307b3d5a8b4a3ed607e14061769f239ce4dd9b10464b9f878900c8777f1550b9a9e8cdfb7901bb22d6fa958f9761a4831ddf6162
Malware Config
Extracted
httP://13.92.100.208/doc/doc.exe
Extracted
warzonerat
152.67.253.163:5300
Targets
-
-
Target
catalogue_2021_samples_list_revise_ol.doc
-
Size
535KB
-
MD5
84c45c2b0e94b8d1d064e739150ba84c
-
SHA1
f6a98ac4e50a89495626b5eaebb85d1116554faa
-
SHA256
7b5572ae246bcd3f6ee0375e1e7a8c8d4287dae4ca1803d72ae427d8ecc93a32
-
SHA512
8fb31fc4147af9e1568c9799307b3d5a8b4a3ed607e14061769f239ce4dd9b10464b9f878900c8777f1550b9a9e8cdfb7901bb22d6fa958f9761a4831ddf6162
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Warzone RAT Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-