CamScanner_PO#44070_Ref_989462 PO#55088_Ref_90411927.exe

General
Target

CamScanner_PO#44070_Ref_989462 PO#55088_Ref_90411927.exe

Size

877KB

Sample

210724-rem1kj9n8n

Score
10 /10
MD5

80b19ac73aafce17ca375242ba9eb321

SHA1

9e8d0906490bfa2bf3c95241a4a190837980e9ef

SHA256

38fb16c57672bbf11231b5671407d0d0e2c5025bf4fb38cdbb9d427732748489

SHA512

26f5dadcf055cfa0092379f7291f4645b9dbec328d54fee9ba115a26f1bb91fd3d8d29cf154f48465c8e33eb02ad71344834fd46c942ca4128b227586a4c7929

Malware Config

Extracted

Family warzonerat
C2

pentester01.duckdns.org:23411

Targets
Target

CamScanner_PO#44070_Ref_989462 PO#55088_Ref_90411927.exe

MD5

80b19ac73aafce17ca375242ba9eb321

Filesize

877KB

Score
10 /10
SHA1

9e8d0906490bfa2bf3c95241a4a190837980e9ef

SHA256

38fb16c57672bbf11231b5671407d0d0e2c5025bf4fb38cdbb9d427732748489

SHA512

26f5dadcf055cfa0092379f7291f4645b9dbec328d54fee9ba115a26f1bb91fd3d8d29cf154f48465c8e33eb02ad71344834fd46c942ca4128b227586a4c7929

Tags

Signatures

  • WarzoneRat, AveMaria

    Description

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    Tags

  • Warzone RAT Payload

    Tags

  • Loads dropped DLL

  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    behavioral1

                    10/10

                    behavioral2

                    10/10