Overview

overview

10

Static

static

JOB-in.lin...sx.exe

windows7_x64

10

JOB-in.lin...sx.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JOB-in.line e.K.- Purchase Order 19600396 & 19600397.xlsx.exe

  • Size

    782KB

  • Sample

    210701-qsz5wv3d2n

  • MD5

    851835c0488a22e389e2ce7793f3cb02

  • SHA1

    afb6572bc1e6e2f0a76a677bca60b146f50d3bd7

  • SHA256

    8a1ceb6687babe6ab82a38ca344d1092a7fc9bd6dbaf3420a3311c50131928ef

  • SHA512

    60fc9ffca1f2790288bb9dd60ca4a8a5eaff42a48f5a5c6ccb59efb319be862af0b699e71a7d0522cb24a5b36dcd8b9c783d31c7eadee0ebdae9b6e5df836e8e

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

13.82.24.228:5918

Targets

    • Target

      JOB-in.line e.K.- Purchase Order 19600396 & 19600397.xlsx.exe

    • Size

      782KB

    • MD5

      851835c0488a22e389e2ce7793f3cb02

    • SHA1

      afb6572bc1e6e2f0a76a677bca60b146f50d3bd7

    • SHA256

      8a1ceb6687babe6ab82a38ca344d1092a7fc9bd6dbaf3420a3311c50131928ef

    • SHA512

      60fc9ffca1f2790288bb9dd60ca4a8a5eaff42a48f5a5c6ccb59efb319be862af0b699e71a7d0522cb24a5b36dcd8b9c783d31c7eadee0ebdae9b6e5df836e8e

    Score
    10/10
    warzoneratinfostealerrat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks