Overview

overview

10

Static

static

Request Fo...er.exe

windows7_x64

1

Request Fo...er.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Request For New Qoute - Ist Order.exe

  • Size

    25KB

  • Sample

    211013-lgjcbadffj

  • MD5

    065ee8fa88089e6576aad4b66d1322f8

  • SHA1

    fadd1d9044f51212fa81c9f3fe676915c1f99d42

  • SHA256

    11f7307f314fccd2b1162443bb699d885f5e325b4b638a10997d98247463acfe

  • SHA512

    facc63e88bda539b169bae754cb5644e3df07a12d52bcfab0ae441ce6f00ee834f251ea81502617a11bb0da59436e427729cf914e7ff953499286170e8567324

Score
10/10
warzoneratcollectioninfostealerpersistenceratspywarestealer

Malware Config

Extracted

Family

warzonerat

C2

enginekeysmoney.ddns.net:9671

Targets

    • Target

      Request For New Qoute - Ist Order.exe

    • Size

      25KB

    • MD5

      065ee8fa88089e6576aad4b66d1322f8

    • SHA1

      fadd1d9044f51212fa81c9f3fe676915c1f99d42

    • SHA256

      11f7307f314fccd2b1162443bb699d885f5e325b4b638a10997d98247463acfe

    • SHA512

      facc63e88bda539b169bae754cb5644e3df07a12d52bcfab0ae441ce6f00ee834f251ea81502617a11bb0da59436e427729cf914e7ff953499286170e8567324

    Score
    10/10
    warzoneratcollectioninfostealerpersistenceratspywarestealer

    • Modifies WinLogon for persistence

      persistence

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks