Overview

overview

10

Static

static

URLScan

urlscan

http://198.12.110.18...

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    http://198.12.110.183/vista/vbc.exe

  • Sample

    210629-nbh82c8ebj

Score
10/10
warzoneratinfostealerpersistenceratspywarestealer

Malware Config

Extracted

Family

warzonerat

C2

seencroundercontroller.webredirect.org:1894

Targets

    • Target

      http://198.12.110.183/vista/vbc.exe

    Score
    10/10
    warzoneratinfostealerpersistenceratspywarestealer

    • Modifies system executable filetype association

      persistence

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks