Overview

overview

10

Static

static

list_9394_...df.exe

windows7_x64

8

list_9394_...df.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    list_9394_spares_0034_394830.pdf.tar

  • Size

    364KB

  • Sample

    211202-qq7hqahacj

  • MD5

    f85f304b50f4f8e3daf912f152cc6459

  • SHA1

    d023520ef2077146bd6065dcabc6255037360a75

  • SHA256

    552056b97b69043abf8aa860469bd915c9c9c7d74c9ab3bc54e768c199618743

  • SHA512

    b380f7949e318d340e298d34a7d1cd091c7cba1139d6a920d3ba6d2268670c65a596015ee7d4174c7e09556ce7b8212f16e3db3dd5b4a872e407eb78020d5437

Score
10/10
netwirewarzoneratbotnetcollectioninfostealerratstealer

Malware Config

Extracted

Family

warzonerat

C2

exportmunic007.duckdns.org:5200

Extracted

Family

netwire

C2

podzeye.duckdns.org:6688

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

  • lock_executable

    false

  • mutex

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Targets

    • Target

      list_9394_spares_0034_394830.pdf.exe

    • Size

      363KB

    • MD5

      1be7781cf8cd18e3697e1d757df86faf

    • SHA1

      f7287794a7695a5d548e4edb32b85dbfd796ff9b

    • SHA256

      dec95d20b76f488818e6e59450be1f8e927f5c22ae59ed02e958a3e313145ee5

    • SHA512

      2347bfb437f050da063f2439fd0c1c63237616f5903e477002383e73595cc952e87ca17c48ab23b549a832022d1422cc83705a8d312a4251a518ee978e89b962

    Score
    10/10
    netwirewarzoneratbotnetcollectioninfostealerratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks