Overview

overview

10

Static

static

Purchase O...CO.doc

windows7_x64

10

Purchase O...CO.doc

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Purchase Order and Contract Agreement Namtip THAI CO.doc

  • Size

    3.2MB

  • Sample

    210120-a8p8lz63de

  • MD5

    038db1fe98b190bdb85793f6b39bbdd8

  • SHA1

    3cb9e4978cdb7e817b769ed4f13eadeac76c0014

  • SHA256

    8893a5c23f09b252b052cfafadce1065e5934c1f2877a4a11e98467faee05340

  • SHA512

    cff65285dc3d0968b4a29f267e3b0beb488529252f4a36e7ac9817344fea74f42beae08ac482f7ab825b34353236561689dc96cb202098af68a74de6cdeafdfc

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

79.134.225.79:5300

Targets

    • Target

      Purchase Order and Contract Agreement Namtip THAI CO.doc

    • Size

      3.2MB

    • MD5

      038db1fe98b190bdb85793f6b39bbdd8

    • SHA1

      3cb9e4978cdb7e817b769ed4f13eadeac76c0014

    • SHA256

      8893a5c23f09b252b052cfafadce1065e5934c1f2877a4a11e98467faee05340

    • SHA512

      cff65285dc3d0968b4a29f267e3b0beb488529252f4a36e7ac9817344fea74f42beae08ac482f7ab825b34353236561689dc96cb202098af68a74de6cdeafdfc

    Score
    10/10
    warzoneratinfostealerrat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Exploitation for Client Execution

1
T1203

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks