General

  • Target

    SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217

  • Size

    1.3MB

  • Sample

    210608-tybhkczc92

  • MD5

    e7e098ec6c3ca85ffd4cb7f2c4605311

  • SHA1

    8d300f5e2ca8375173de14d4319209f16fc1c10e

  • SHA256

    a8e9ff8520a1ddf67e25641f39246976117be887b68d8bc24c890ae511723254

  • SHA512

    4ba3b152268116d36c33e5e1a7f079b907d68465084da8725225b08de4ffaadc42bc9464806b359ab197031be2bb7554c1d422773f66bc469b2701d96a0b77d0

Malware Config

Extracted

Family

warzonerat

C2

79.134.225.94:5352

Targets

    • Target

      SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217

    • Size

      1.3MB

    • MD5

      e7e098ec6c3ca85ffd4cb7f2c4605311

    • SHA1

      8d300f5e2ca8375173de14d4319209f16fc1c10e

    • SHA256

      a8e9ff8520a1ddf67e25641f39246976117be887b68d8bc24c890ae511723254

    • SHA512

      4ba3b152268116d36c33e5e1a7f079b907d68465084da8725225b08de4ffaadc42bc9464806b359ab197031be2bb7554c1d422773f66bc469b2701d96a0b77d0

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks