Overview

overview

10

Static

static

order_inqu...ls.exe

windows7_x64

10

order_inqu...ls.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    order_inquiry2094.xls.exe

  • Size

    628KB

  • Sample

    210406-m6rd5rys2e

  • MD5

    003847b258308e9f6eb05039a6e5de21

  • SHA1

    3093af80d725fbc8cbac621c938a512464a698da

  • SHA256

    fbe04315f08ff50022d31fb59aeb9462d9930ea7fb84ebe4cdfd5d9fedc4b0df

  • SHA512

    f535d9a2e1653141bc9043570e6593760918c2a66b9a583b95a281db8e9b495c07682b426e222fd5658edf62e6cb44017bd5a4372b028de9a391f2fc59d4e02d

Score
10/10
warzoneratinfostealerratspywarestealer

Malware Config

Extracted

Family

warzonerat

C2

79.134.225.102:1414

Targets

    • Target

      order_inquiry2094.xls.exe

    • Size

      628KB

    • MD5

      003847b258308e9f6eb05039a6e5de21

    • SHA1

      3093af80d725fbc8cbac621c938a512464a698da

    • SHA256

      fbe04315f08ff50022d31fb59aeb9462d9930ea7fb84ebe4cdfd5d9fedc4b0df

    • SHA512

      f535d9a2e1653141bc9043570e6593760918c2a66b9a583b95a281db8e9b495c07682b426e222fd5658edf62e6cb44017bd5a4372b028de9a391f2fc59d4e02d

    Score
    10/10
    warzoneratinfostealerratspywarestealer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks