CoreWarrior Spreader Malware Surge

Oct. 15, 2024, 11:45 a.m.

Description

This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques like anti-debugging, evasion through randomized sleep timers, and virtual environment detection. It also references protocols like FTP, SMTP, and POP3 for potential data exfiltration. The report provides indicators of compromise, including hashes, and highlights SonicWall's proactive security measures to safeguard against this threat.

External References

https://blog.sonicwall.com/en-us/2024/10/corewarrior-spreader-malware-surge/
https://otx.alienvault.com/pulse/670e5157c8417ad68046fc02
Tags
backdoor
evasion
anti-analysis
trojan
2024-10-15
propagation
corewarrior

Date

  • Created: Oct. 15, 2024, 11:26 a.m.
  • Published: Oct. 15, 2024, 11:26 a.m.
  • Modified: Oct. 15, 2024, 11:45 a.m.

Indicators

  • 8c97329cf7e48bb1464ac5132b6a02488b5f0358752b71e3135d9d0e4501b48d
  • 85a6e921e4d5107d13c1eb8647b130a1d54ba2b6409118be7945fd71c6c8235f
  • http://wecan.hasthe.technology/upload
Download all indicators here!

Attack Patterns

  • CoreWarrior