neue bestellung.PDF.exe

General
Target

neue bestellung.PDF.exe

Size

652KB

Sample

210223-7jqe4mrmya

Score
10 /10
MD5

a0b16d3a4ce67631e8681b3d3069772c

SHA1

28f64d87e10a9d5f4fe4c508f431b0b0e6ca9103

SHA256

6131d15e138a07ea92924656ba389ef9ad1001ec1ca144be9e7f335b46b1ae9f

SHA512

8c3134360a12e0154cc789cb363ec8ac287ca3066c85366c633a998a4ec349e6daf8e8134459eeb9b19c4fdc13135fb032957f2dfa010bd71061d8f048cd0ebe

Malware Config

Extracted

Family warzonerat
C2

194.5.97.48:3141

Targets
Target

neue bestellung.PDF.exe

MD5

a0b16d3a4ce67631e8681b3d3069772c

Filesize

652KB

Score
10 /10
SHA1

28f64d87e10a9d5f4fe4c508f431b0b0e6ca9103

SHA256

6131d15e138a07ea92924656ba389ef9ad1001ec1ca144be9e7f335b46b1ae9f

SHA512

8c3134360a12e0154cc789cb363ec8ac287ca3066c85366c633a998a4ec349e6daf8e8134459eeb9b19c4fdc13135fb032957f2dfa010bd71061d8f048cd0ebe

Tags

Signatures

  • WarzoneRat, AveMaria

    Description

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    Tags

  • Warzone RAT Payload

    Tags

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                Privilege Escalation
                  Tasks

                  static1

                  behavioral2

                  10/10