Overview

overview

10

Static

static

PR14266398...ls.exe

windows7_x64

10

PR14266398...ls.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PR142663982RFP.xls.exe

  • Size

    649KB

  • Sample

    210305-v4hjsjyhvs

  • MD5

    99cef60409b13a3ebc20998dd25c0b2f

  • SHA1

    5a293251cbd25098185b5177b031c45a50472228

  • SHA256

    b1b6dd7f3a2eb222c3287e31b61a85b23ad0b037b8510d172b03b99565da80b8

  • SHA512

    430f0a03dcd67125a4ca5945a771b5fefe116d6d2684a6ebd2f3e4600d51336dde7cd85fdff3cf1c34a0924d5b636de64e5d503bc7e6c184db8a18f7e6cc684d

Score
10/10
warzoneratinfostealerratspyware

Malware Config

Extracted

Family

warzonerat

C2

194.5.97.48:3141

Targets

    • Target

      PR142663982RFP.xls.exe

    • Size

      649KB

    • MD5

      99cef60409b13a3ebc20998dd25c0b2f

    • SHA1

      5a293251cbd25098185b5177b031c45a50472228

    • SHA256

      b1b6dd7f3a2eb222c3287e31b61a85b23ad0b037b8510d172b03b99565da80b8

    • SHA512

      430f0a03dcd67125a4ca5945a771b5fefe116d6d2684a6ebd2f3e4600d51336dde7cd85fdff3cf1c34a0924d5b636de64e5d503bc7e6c184db8a18f7e6cc684d

    Score
    10/10
    warzoneratinfostealerratspyware

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks