Overview

overview

10

Static

static

Purchase Order.exe

windows7_x64

10

Purchase Order.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Purchase Order.7z

  • Size

    762KB

  • Sample

    210118-ase8a8sawx

  • MD5

    1e691fa6d518490e428e249993137c0d

  • SHA1

    a30fc5af391958070eb44f23f1f456516a492311

  • SHA256

    cd16d188108b02d270a0a63da1359bdc45df5a7825b6d5128a3108fb8e530337

  • SHA512

    b01a540aedcc0a0d7a5225de1e7de06d3d6e873843e986a78fcd3af5cf773ff05c931bf85cd0025b71e53303a2eabe51121a2a255c9011ed3fbd793b76b89de1

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

40.84.216.183:7600

Targets

    • Target

      Purchase Order.exe

    • Size

      1.2MB

    • MD5

      e9cdb57e8d85959e67fff38a7f8582ef

    • SHA1

      fbd35f584d4d92b30da710413eb3e47c42b2a2c3

    • SHA256

      1c5d4238505bbf9f9699eb6e12557e1cdf370a2495dc6b2d25559b28a502aefb

    • SHA512

      cfb752ecfadd3c965e03fca5de937d0e07184bf5e067bbc68354b739e6d474834f9097acfdbb8d86ab54cab14458d6546d3e51a7167d64f7ad1ce3139fb0fed6

    Score
    10/10
    warzoneratinfostealerrat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks