General

  • Target

    82dd2ffb9d124f9dd7c3df26df743675

  • Size

    996KB

  • Sample

    210915-h63wgadbcm

  • MD5

    82dd2ffb9d124f9dd7c3df26df743675

  • SHA1

    63fe36b3db247e06f5823a47735dcccd1ba65bd3

  • SHA256

    4b3e872365db5c5fd41d596837b761900d549c8d70247105b2a3451a34b7e74d

  • SHA512

    3d0d4a86203e08cb8373a3f560f02dc9dd11ffe87b0c468e59f2446d7f12c5ecabfc44bd2c8ea0fe37d6ae0b80a7ec083bcf48ed8e0dbbac9dd56016c2f15721

Malware Config

Extracted

Family

warzonerat

C2

engkaa.ddns.net:4545

Targets

    • Target

      82dd2ffb9d124f9dd7c3df26df743675

    • Size

      996KB

    • MD5

      82dd2ffb9d124f9dd7c3df26df743675

    • SHA1

      63fe36b3db247e06f5823a47735dcccd1ba65bd3

    • SHA256

      4b3e872365db5c5fd41d596837b761900d549c8d70247105b2a3451a34b7e74d

    • SHA512

      3d0d4a86203e08cb8373a3f560f02dc9dd11ffe87b0c468e59f2446d7f12c5ecabfc44bd2c8ea0fe37d6ae0b80a7ec083bcf48ed8e0dbbac9dd56016c2f15721

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks