RFQ - RM678890 RM66789.XLX.exe

General
Target

RFQ - RM678890 RM66789.XLX.exe

Size

1MB

Sample

211125-t5dqqsbbc6

Score
10 /10
MD5

08c72bf1f25b905f3eefd881a8cfaf95

SHA1

2fea140816601b3b5d02d8d18b860f1c88e099af

SHA256

7d2513132d07adf745141e5860b022afce543e2070a17d303833171d45f93e90

SHA512

94dde4a345393d10b59f1011c78df1143311090bb72388aa6bf61f34ac2346d606c6849096d38e9165a3091406474a3d1aa85a0ea21c548d3c771d8d0b74e841

Malware Config

Extracted

Family warzonerat
C2

91.193.75.173:6667

Targets
Target

RFQ - RM678890 RM66789.XLX.exe

MD5

08c72bf1f25b905f3eefd881a8cfaf95

Filesize

1MB

Score
10/10
SHA1

2fea140816601b3b5d02d8d18b860f1c88e099af

SHA256

7d2513132d07adf745141e5860b022afce543e2070a17d303833171d45f93e90

SHA512

94dde4a345393d10b59f1011c78df1143311090bb72388aa6bf61f34ac2346d606c6849096d38e9165a3091406474a3d1aa85a0ea21c548d3c771d8d0b74e841

Tags

Signatures

  • WarzoneRat, AveMaria

    Description

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    Tags

  • Warzone RAT Payload

    Tags

  • Executes dropped EXE

  • Drops startup file

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses Microsoft Outlook profiles

    Tags

    TTPs

    Email Collection
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation