Overview

overview

10

Static

static

Quotation ...er.exe

windows7_x64

3

Quotation ...er.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Quotation for named specification new order.tar.gz

  • Size

    593KB

  • Sample

    210714-blymvah8tn

  • MD5

    2b216584c4d55e8ef093e239448ebc8b

  • SHA1

    dfe9455a6559f1e821fe6fcb721275061f27bfa5

  • SHA256

    e59dae30834e8d82c8cd20b919ae274c02ea83e07bdc9d467a8a877bb8d741b6

  • SHA512

    1874edc1cf807e75d6f72aae37c4508e822d59828a186ee30771509be32c93d4814fbdafd44d62f06f9837033a1f3689f8a8c49991afbae2d2ac3a7ca0d859d8

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

princekelvin.ddns.net:4545

Targets

    • Target

      Quotation for named specification new order.exe

    • Size

      786KB

    • MD5

      b8f0f94f760baa38503ac7da4faab222

    • SHA1

      2775a004ef8bfdb79ed2fae45066b49d740b1afc

    • SHA256

      d3147c430d999a7e8337cfb4120dff3079eef4bf51abc0c979f424eff86f1845

    • SHA512

      1c789c724bd67ea1b5a0ee365b8bb40768e87cef7f861f76bdfa9ec7bf99be507d3233b8450722e63378eaa3f841deb94a643925747ad6bb491401b26b5715ec

    Score
    10/10
    warzoneratinfostealerrat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks