Overview

overview

10

Static

static

PDF.exe

windows7_x64

10

PDF.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PDF.iso

  • Size

    868KB

  • Sample

    210702-rxb1kd5g3j

  • MD5

    d9058772fc4491bfb2be6ff3f3b8985f

  • SHA1

    6cb3b4982ad78c626c28f548ca48909ccee69a8f

  • SHA256

    22375ee635115a132f557df892d58c04f76d6d9eae8a77340e9a746273aae4f2

  • SHA512

    815c958ad4e0700312e02dd939aeaac232220355cf998e9173811d79c9b3a3edd0e5df0dd5e0b622d3b5f2329b3ae2ac8b62bbd8723366b5e5a2c4c4736f8e65

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

185.157.160.215:2211

Targets

    • Target

      PDF.exe

    • Size

      807KB

    • MD5

      1032e6ffdbb406b3ee80d7c50989e2b5

    • SHA1

      fb63c770ba76d25f181be481acef62aa2cf5f82c

    • SHA256

      be38a69081db308b628205a8d3bf1053120da733b05f38ac497a295723d2b29f

    • SHA512

      bd5203164dd2a966c1db164f6d472615932a673d7be6105c5c36a130e1bb7582e4a9a479833ecbc102c36a5786ef1e459b8eec944beb8cdf51c763078a2923f3

    Score
    10/10
    warzoneratinfostealerrat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks