Overview

overview

10

Static

static

EFT_REMITT...CE.exe

windows7_x64

10

EFT_REMITT...CE.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    EFT_REMITTANCE_ADVICE.exe

  • Size

    975KB

  • Sample

    210119-bb5r7gnzne

  • MD5

    518c314827a6d5fca576e1a1dda788e9

  • SHA1

    4eae33a11a49f4e67cc81195226cb24411a9285e

  • SHA256

    9fa98d845147978f040107c6d725a2b12ba15c204c54ed6d726c0780b40c68c3

  • SHA512

    8b443b00578e6ef1337f539be6be388a2b7dc325f1c8b1dfb6154770cda70bdb7d6ca70fbabfc647cb4fa0e7b0620f9e9bf0edbe04b972cbde1d6bfe1490ec90

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

vigo147.duckdns.org:5200

Targets

    • Target

      EFT_REMITTANCE_ADVICE.exe

    • Size

      975KB

    • MD5

      518c314827a6d5fca576e1a1dda788e9

    • SHA1

      4eae33a11a49f4e67cc81195226cb24411a9285e

    • SHA256

      9fa98d845147978f040107c6d725a2b12ba15c204c54ed6d726c0780b40c68c3

    • SHA512

      8b443b00578e6ef1337f539be6be388a2b7dc325f1c8b1dfb6154770cda70bdb7d6ca70fbabfc647cb4fa0e7b0620f9e9bf0edbe04b972cbde1d6bfe1490ec90

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks