Overview

overview

10

Static

static

413a47af46...39.exe

windows7_x64

10

413a47af46...39.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    413a47af466113b07495cb5bbd3b6439.exe

  • Size

    350KB

  • Sample

    210715-pmwa3brgt2

  • MD5

    413a47af466113b07495cb5bbd3b6439

  • SHA1

    5c071fc04f4de72f97cdabef4d02f99d4f12a0a8

  • SHA256

    691c75376ade3956492197d79853cab8eb38dca6dc2a7c2be3d4f28f445a3d2b

  • SHA512

    c01c054ff55ce4aed76f06c7a75e9a77b4652e5a1696c3e97427419bff50f6726f45dfc142391b22736840700b167e9602cc0628e9bd87b4e0afbf0012e4995b

Score
10/10
warzoneratinfostealerratspywarestealer

Malware Config

Extracted

Family

warzonerat

C2

byx.z86.ru:5200

Targets

    • Target

      413a47af466113b07495cb5bbd3b6439.exe

    • Size

      350KB

    • MD5

      413a47af466113b07495cb5bbd3b6439

    • SHA1

      5c071fc04f4de72f97cdabef4d02f99d4f12a0a8

    • SHA256

      691c75376ade3956492197d79853cab8eb38dca6dc2a7c2be3d4f28f445a3d2b

    • SHA512

      c01c054ff55ce4aed76f06c7a75e9a77b4652e5a1696c3e97427419bff50f6726f45dfc142391b22736840700b167e9602cc0628e9bd87b4e0afbf0012e4995b

    Score
    10/10
    warzoneratinfostealerratspywarestealer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks