General

  • Target

    ZeAJce00z3qhR4M.exe

  • Size

    1.4MB

  • Sample

    210726-11wjazxv7e

  • MD5

    027d00c9ed605bfbcb8615aa0f062889

  • SHA1

    c982c2a5ce8cbae143820ba6529b189113b4c2ca

  • SHA256

    71213fcacf32e5693b18d4cfcadc7ba7a03da3c84c614308037049796e58c645

  • SHA512

    b52b3d4e1a6f0a2f61be9e3b7d28d2310037c983d9e4bb3901db8c82e2f04413e8d88bea3fbf57b9c837fa7c7495162ce7b76a0d7fb1d0e334f4848c87d5b3fb

Malware Config

Extracted

Family

warzonerat

C2

84.38.133.199:5200

Targets

    • Target

      ZeAJce00z3qhR4M.exe

    • Size

      1.4MB

    • MD5

      027d00c9ed605bfbcb8615aa0f062889

    • SHA1

      c982c2a5ce8cbae143820ba6529b189113b4c2ca

    • SHA256

      71213fcacf32e5693b18d4cfcadc7ba7a03da3c84c614308037049796e58c645

    • SHA512

      b52b3d4e1a6f0a2f61be9e3b7d28d2310037c983d9e4bb3901db8c82e2f04413e8d88bea3fbf57b9c837fa7c7495162ce7b76a0d7fb1d0e334f4848c87d5b3fb

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks