Overview

overview

10

Static

static

JANUARY QU...MM.exe

windows7_x64

10

JANUARY QU...MM.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe

  • Size

    994KB

  • Sample

    210119-6s2hsxceg6

  • MD5

    86c59d1e4de693a0f5d2ffe3b1cd8ef9

  • SHA1

    64e5247411bbeff10fb09f0f8efe3d923d13f0a5

  • SHA256

    ae0867ee2b8d439245831fa1884fc5ef80cf9e38e43d1059e8030d2c433e4040

  • SHA512

    1ef4ea0020c2f2058b369e045a8a5eea071dd73408507ab06dcef1f1b9fbd1b8bf96ef73cb756296a4d7646185eb1e1c01814f9d23446f27ac14d625e36284c5

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

urchy.duckdns.org:30251

Targets

    • Target

      JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exe

    • Size

      994KB

    • MD5

      86c59d1e4de693a0f5d2ffe3b1cd8ef9

    • SHA1

      64e5247411bbeff10fb09f0f8efe3d923d13f0a5

    • SHA256

      ae0867ee2b8d439245831fa1884fc5ef80cf9e38e43d1059e8030d2c433e4040

    • SHA512

      1ef4ea0020c2f2058b369e045a8a5eea071dd73408507ab06dcef1f1b9fbd1b8bf96ef73cb756296a4d7646185eb1e1c01814f9d23446f27ac14d625e36284c5

    Score
    10/10
    warzoneratinfostealerrat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks