CoreWarrior Spreader Malware Surge

Oct. 15, 2024, 11:45 a.m.

Tags
backdoor
evasion
anti-analysis
trojan
2024-10-15
propagation
corewarrior
External References
Description

This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques like anti-debugging, evasion through randomized sleep timers, and virtual environment detection. It also references protocols like FTP, SMTP, and POP3 for potential data exfiltration. The report provides indicators of compromise, including hashes, and highlights SonicWall's proactive security measures to safeguard against this threat.

Date

Published: Oct. 15, 2024, 11:26 a.m.

Created: Oct. 15, 2024, 11:26 a.m.

Modified: Oct. 15, 2024, 11:45 a.m.

Indicators

8c97329cf7e48bb1464ac5132b6a02488b5f0358752b71e3135d9d0e4501b48d

85a6e921e4d5107d13c1eb8647b130a1d54ba2b6409118be7945fd71c6c8235f

http://wecan.hasthe.technology/upload

Download all indicators here!

Attack Patterns

CoreWarrior

T1207

T1024

T1035

T1089

T1583

T1012

T1014

T1057

T1105

T1204

T1033

T1027

T1112

T1090

T1059