General

  • Target

    perchase order.pdf.exe

  • Size

    857KB

  • Sample

    210415-lxqxtr9mae

  • MD5

    26be3a515c42d2bc57e190143fe239f2

  • SHA1

    2049d1c5d7e389f134ce94dc7e3d64cb86a9ff6c

  • SHA256

    5e2d71b05993c4b8e96fec7d0587625bcd45168d1c2deda8be007d7b18da8927

  • SHA512

    422d051609b1659be0bffa0dbcaefbed967b3ae6f7870ab241264801dd32b5a46b2044ce5a0b95a802bd8ae9e63fe644cbd1aa8d2460b7a780ad6f15e5cdeed5

Malware Config

Extracted

Family

warzonerat

C2

79.134.225.102:1414

Targets

    • Target

      perchase order.pdf.exe

    • Size

      857KB

    • MD5

      26be3a515c42d2bc57e190143fe239f2

    • SHA1

      2049d1c5d7e389f134ce94dc7e3d64cb86a9ff6c

    • SHA256

      5e2d71b05993c4b8e96fec7d0587625bcd45168d1c2deda8be007d7b18da8927

    • SHA512

      422d051609b1659be0bffa0dbcaefbed967b3ae6f7870ab241264801dd32b5a46b2044ce5a0b95a802bd8ae9e63fe644cbd1aa8d2460b7a780ad6f15e5cdeed5

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks