Overview

overview

10

Static

static

1

REFO21668.xlsx.exe

windows7_x64

10

REFO21668.xlsx.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    REFO21668.xlsx.rar

  • Size

    309KB

  • Sample

    210716-5q1nbzdzg2

  • MD5

    0e6d538c1f3d96178c802cbd124b4fcf

  • SHA1

    5b4e9911fcb69a71480b9af50823cdd65ac4b70f

  • SHA256

    1c6841eed63f41cdbc5b07472d35a762daeff0b3b35f6a6df39859aad8ec7488

  • SHA512

    ac5c84937f028e5fae42cfe056bd6b9520c5a07e380635e3715f87556fb01a90a707e5b17c0bae6f65ed4451b808a8d4ea04f5d2354f6aa8db4c644ed54ea185

Score
10/10
warzoneratinfostealerratspywarestealer

Malware Config

Extracted

Family

warzonerat

C2

blacice24.hopto.org:5032

Targets

    • Target

      REFO21668.xlsx.exe

    • Size

      403KB

    • MD5

      c608a08fb7b01f8fae2707d4d7f76bc7

    • SHA1

      78f06e5a4eb12ebb3afdd5026ce78cd8afa1b5a1

    • SHA256

      69d13ed33f3712063fae1094b337ddc9e3b8ca02762adc10553630d145e6dfb1

    • SHA512

      656c73ec657597f81d9be6748af315cb86e923c7b735204855a5dd690f14bdd76c33b28af8d837b6bb161e9bbf7295be7daf3bc116fbda47299845464d772017

    Score
    10/10
    warzoneratinfostealerratspywarestealer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks