Overview

overview

10

Static

static

Roominglist.js

windows7_x64

10

Roominglist.js

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Roominglist.js

  • Size

    167KB

  • Sample

    210520-5378dkavxj

  • MD5

    ed8cae0f23bab8b9b0b591858e9b2ede

  • SHA1

    7c22f8392d58cbe98069f519f348b56228865bca

  • SHA256

    b045aaa5531d999fd24dc75da1df6a9f56402225aeed8269297bbfafecf18147

  • SHA512

    946df5fd66af4c4b2fb8c1276be2ffa2034be5ee8ed484eea517a477cde97cb4a5bd78707fdc8443714850c946a667a717e343c5a2f1ba4242f6d5ecf9a6a304

Score
10/10
warzoneratinfostealerpersistenceratspywarestealer

Malware Config

Extracted

Family

warzonerat

C2

global22.ddns.net:8080

Targets

    • Target

      Roominglist.js

    • Size

      167KB

    • MD5

      ed8cae0f23bab8b9b0b591858e9b2ede

    • SHA1

      7c22f8392d58cbe98069f519f348b56228865bca

    • SHA256

      b045aaa5531d999fd24dc75da1df6a9f56402225aeed8269297bbfafecf18147

    • SHA512

      946df5fd66af4c4b2fb8c1276be2ffa2034be5ee8ed484eea517a477cde97cb4a5bd78707fdc8443714850c946a667a717e343c5a2f1ba4242f6d5ecf9a6a304

    Score
    10/10
    warzoneratinfostealerratpersistencespywarestealer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Executes dropped EXE

    • Sets DLL path for service in the registry

      persistence

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Modifies WinLogon

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks