General

  • Target

    klz4gyUavm3BYrK.exe

  • Size

    589KB

  • Sample

    210401-trp37mh24n

  • MD5

    a4f1d30c779341883a5aa160f647eea6

  • SHA1

    64b7e6d3afe4c776c7ce70451e9f02ffaa1e1aec

  • SHA256

    f1b5c3f7c1ee438590757e114f1c379f6c3d5fc7b349cad583976106737beb61

  • SHA512

    995027ec72c69dc4ce81ef07d7f3c4106f9e1fc9301dce02336fe5c99c1e941716f2e76c3d80e488368af6ea5a61eb024bd779a605e71eba1a6a4afc48257b63

Malware Config

Extracted

Family

warzonerat

C2

genasispony.hopto.org:4477

Targets

    • Target

      klz4gyUavm3BYrK.exe

    • Size

      589KB

    • MD5

      a4f1d30c779341883a5aa160f647eea6

    • SHA1

      64b7e6d3afe4c776c7ce70451e9f02ffaa1e1aec

    • SHA256

      f1b5c3f7c1ee438590757e114f1c379f6c3d5fc7b349cad583976106737beb61

    • SHA512

      995027ec72c69dc4ce81ef07d7f3c4106f9e1fc9301dce02336fe5c99c1e941716f2e76c3d80e488368af6ea5a61eb024bd779a605e71eba1a6a4afc48257b63

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

System Information Discovery

1
T1082

Tasks