Overview

overview

10

Static

static

1

OQ_PO_4500...v1.exe

windows7_x64

10

OQ_PO_4500...v1.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    OQ_PO_4500148488_Rev1.zip

  • Size

    164KB

  • Sample

    210705-p13xb3nl1e

  • MD5

    b93c4059cd673561428d1fafc604b44d

  • SHA1

    4afb1264a6cb6deb4d01fb35670be31a6c52e923

  • SHA256

    eb9cc50ca63d4dce9240a7b0addffe5949ece11aa8aafac07b2c7072243023e3

  • SHA512

    c3b986649387c216c255f3774398db32bcb352663a6448c48c4135f9eceaaeb9458d4c0b46baf320bfe61255842822502ae471f278e82059582c23ba22587e0f

Score
10/10
warzoneratinfostealerratspywarestealer

Malware Config

Extracted

Family

warzonerat

C2

blacice24.hopto.org:5032

Targets

    • Target

      OQ_PO_4500148488_Rev1.exe

    • Size

      259KB

    • MD5

      5434606b4299d30ef9ba8d4ddafe3e77

    • SHA1

      3bd6309a6ef81b54accdc5cc3de3d07b9d677ef3

    • SHA256

      322f8919feb65490f33815c92b90a96ccffd0a050d0ae491c360c498f3d2612b

    • SHA512

      aef8f2f571d5ca3759a402b7410abf6a33c62736db12261c73dd4ccb045ab22217688296663e37155eaafa876e60ec7ba7faf9dda91e77f25e1a19074b483c7e

    Score
    10/10
    warzoneratinfostealerratspywarestealer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks