Overview

overview

10

Static

static

PURCHASE.EXE

windows7_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Purchase_order_eberspacher_sept.iso

  • Size

    1.2MB

  • Sample

    210917-x3vs1sbbgq

  • MD5

    849cbfdeb92b16c4659605992740b705

  • SHA1

    297d0c70c437f4116726af7b1b78e4f86e78cdae

  • SHA256

    0a2c429101173ac2eaa13ceff69426c782cb40c5c0ef871ef9461a725b9cc7ab

  • SHA512

    4a7756dad4510866e33b33732f8a60c065b9ca44f5a00b03fdd972a47c0cf9855e7c0e1efee3c5f6dc6fc4e0b37d6fbf46f4917b5bcdda0681c6e525d81f40a9

Score
10/10
warzoneratinfostealerratspywarestealer

Malware Config

Extracted

Family

warzonerat

C2

184.75.221.59:7350

Targets

    • Target

      PURCHASE.EXE

    • Size

      617KB

    • MD5

      e0478760e1af4a233be2e05cebc73b85

    • SHA1

      c2809f0d05b78e170c31481b17a57a765d9878e7

    • SHA256

      e5600822c775da813e316783e42306811993b13f49c30d1617f6878b5140b155

    • SHA512

      240520523ea09764c8c04dfcae0a1152c74dab97c7cbb50e030cb3a7c4723113f26fcc06fb2b5bd2e32c8b6ed8f10e5fb227c67e4a2ad0831b096e157494ac96

    Score
    10/10
    warzoneratinfostealerratspywarestealer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks