CLEW enquiry 2021.PDF.exe

General
Target

CLEW enquiry 2021.PDF.exe

Size

471KB

Sample

210311-vpqzxl3hma

Score
10 /10
MD5

54354bddb2f478a548edda9ff940f0d1

SHA1

539d0510ce7e27cbf18e30952f6ae151cea8eb1e

SHA256

6d72e21f8eed71f706041b12c6efaa66fd12ad213a48415f682a19b0f3e46f17

SHA512

788866f1da8e8fcacefd58be1b144d23cdb69c0132648edf7a79f394d4eb7fe405deeab829be583674943ba2f2c3795da6aeabd6d4dbbf3d6233c04b590ce8dc

Malware Config

Extracted

Family warzonerat
C2

79.134.225.26:3141

Targets
Target

CLEW enquiry 2021.PDF.exe

MD5

54354bddb2f478a548edda9ff940f0d1

Filesize

471KB

Score
10 /10
SHA1

539d0510ce7e27cbf18e30952f6ae151cea8eb1e

SHA256

6d72e21f8eed71f706041b12c6efaa66fd12ad213a48415f682a19b0f3e46f17

SHA512

788866f1da8e8fcacefd58be1b144d23cdb69c0132648edf7a79f394d4eb7fe405deeab829be583674943ba2f2c3795da6aeabd6d4dbbf3d6233c04b590ce8dc

Tags

Signatures

  • WarzoneRat, AveMaria

    Description

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    Tags

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                Privilege Escalation
                  Tasks

                  static1

                  behavioral2

                  10/10