General

  • Target

    5b05e594d319f6d70ac64e5516623e00

  • Size

    246KB

  • Sample

    210723-ajd9n1spr2

  • MD5

    5b05e594d319f6d70ac64e5516623e00

  • SHA1

    106e4355f90abce23844b75d6b6349a0caf3667c

  • SHA256

    1a23d8fe69766ecb6f3c71a5bc952e7636d4b6522d2975491622816235e63171

  • SHA512

    b796155db0fc285daec4ea9e05414f1ad5264a3ed385e782e6f3fdde90531a89e647320f7a8accbe348657af0dabd28de107240bf3a8caf921997c2901055334

Malware Config

Extracted

Family

warzonerat

C2

desireblex.ddns.net:5490

Targets

    • Target

      5b05e594d319f6d70ac64e5516623e00

    • Size

      246KB

    • MD5

      5b05e594d319f6d70ac64e5516623e00

    • SHA1

      106e4355f90abce23844b75d6b6349a0caf3667c

    • SHA256

      1a23d8fe69766ecb6f3c71a5bc952e7636d4b6522d2975491622816235e63171

    • SHA512

      b796155db0fc285daec4ea9e05414f1ad5264a3ed385e782e6f3fdde90531a89e647320f7a8accbe348657af0dabd28de107240bf3a8caf921997c2901055334

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks