434c581d692f438caa4dcae3d42c32d4

General
Target

434c581d692f438caa4dcae3d42c32d4

Size

669KB

Sample

210915-hts6haaae6

Score
10 /10
MD5

434c581d692f438caa4dcae3d42c32d4

SHA1

6f1fc19c1c796117366d744cd33998c34bab8e6f

SHA256

3971845bb66080170f9c166e1fcaf497d598dcfc5fbc380f0363711fc73e0580

SHA512

a06dbca9c28763005dff82eda81326d455a305d32fffee0dce8b5019faa5aefaf2e15a78c151519ab032723264274c457a516acab3fafbef757714d8ad64b7e0

Malware Config

Extracted

Family warzonerat
C2

pentester01.duckdns.org:60976

Targets
Target

434c581d692f438caa4dcae3d42c32d4

MD5

434c581d692f438caa4dcae3d42c32d4

Filesize

669KB

Score
10 /10
SHA1

6f1fc19c1c796117366d744cd33998c34bab8e6f

SHA256

3971845bb66080170f9c166e1fcaf497d598dcfc5fbc380f0363711fc73e0580

SHA512

a06dbca9c28763005dff82eda81326d455a305d32fffee0dce8b5019faa5aefaf2e15a78c151519ab032723264274c457a516acab3fafbef757714d8ad64b7e0

Tags

Signatures

  • WarzoneRat, AveMaria

    Description

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    Tags

  • Warzone RAT Payload

    Tags

  • Blocklisted process makes network request

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Tasks

                  static1

                  behavioral1

                  1/10