Overview

overview

10

Static

static

PO1223.exe

windows7_x64

10

PO1223.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO1223.exe

  • Size

    842KB

  • Sample

    210525-tl4pspfsqx

  • MD5

    260bb2d5fb66ec1f2acadb791df18fdd

  • SHA1

    cfc75c79f127309936bb1854c54bc6209d9b689a

  • SHA256

    b6f0e221dc2c0f99c4513331f8e2a4ab8f22d37f8a8ee49bd3566ea55b7bd885

  • SHA512

    1d467ec542ecc1746c7baf9f09ea72cdf7590f715b18ba8f1c022a4f6060062733b78622e254c9c303c64e1a33800604092faec863e0029ca8773fc6b80a6cb0

Score
10/10
warzoneratevasioninfostealerratspywarestealer

Malware Config

Extracted

Family

warzonerat

C2

37.120.210.211:22612

Targets

    • Target

      PO1223.exe

    • Size

      842KB

    • MD5

      260bb2d5fb66ec1f2acadb791df18fdd

    • SHA1

      cfc75c79f127309936bb1854c54bc6209d9b689a

    • SHA256

      b6f0e221dc2c0f99c4513331f8e2a4ab8f22d37f8a8ee49bd3566ea55b7bd885

    • SHA512

      1d467ec542ecc1746c7baf9f09ea72cdf7590f715b18ba8f1c022a4f6060062733b78622e254c9c303c64e1a33800604092faec863e0029ca8773fc6b80a6cb0

    Score
    10/10
    warzoneratevasioninfostealerratspywarestealer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Warzone RAT Payload

      rat

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks