General

  • Target

    Urgent_request_for_quotation.exe

  • Size

    736KB

  • Sample

    210722-m7gtsajc22

  • MD5

    392c8ecd4e0adeffe68d8365a4834bc1

  • SHA1

    7e84b2d4cb21efa0324c956ff7f7d5c12fbb586f

  • SHA256

    6cd9680a21d7f13a34e111c1f9e645b1b657b8b7e13ce16deddfee2b003f7579

  • SHA512

    891dd53d7f3ffd1811fbf5b7bb2e3a645c9fe7294957bb0c46e0f45ece8566226904c69e20d3174ce5de33b5932b9c7d5ae18f333d78f0f9ef862d27a253f2f9

Malware Config

Extracted

Family

warzonerat

C2

79.134.225.8:8654

Targets

    • Target

      Urgent_request_for_quotation.exe

    • Size

      736KB

    • MD5

      392c8ecd4e0adeffe68d8365a4834bc1

    • SHA1

      7e84b2d4cb21efa0324c956ff7f7d5c12fbb586f

    • SHA256

      6cd9680a21d7f13a34e111c1f9e645b1b657b8b7e13ce16deddfee2b003f7579

    • SHA512

      891dd53d7f3ffd1811fbf5b7bb2e3a645c9fe7294957bb0c46e0f45ece8566226904c69e20d3174ce5de33b5932b9c7d5ae18f333d78f0f9ef862d27a253f2f9

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

      Discovery

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                    Privilege Escalation