General

  • Target

    87837f84cff6aaa529c7a54fcbae5d446765eb853e5a0fd78ff7b7a2a98fd768

  • Size

    1.3MB

  • Sample

    220216-31ftzafghq

  • MD5

    b3132898a75f8fae61ac2b1966562a10

  • SHA1

    b1c0e22eee6b560048e7d5261e0871cd9b4ce5c6

  • SHA256

    87837f84cff6aaa529c7a54fcbae5d446765eb853e5a0fd78ff7b7a2a98fd768

  • SHA512

    dcd362be2509365df975964ba5d1a67568963abf7220a027362bf6d503fd012d0b89e3dd381faf2b48ea0f0e382f54d7124c5e71f2ba6511a365c710050033f0

Malware Config

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Targets

    • Target

      87837f84cff6aaa529c7a54fcbae5d446765eb853e5a0fd78ff7b7a2a98fd768

    • Size

      1.3MB

    • MD5

      b3132898a75f8fae61ac2b1966562a10

    • SHA1

      b1c0e22eee6b560048e7d5261e0871cd9b4ce5c6

    • SHA256

      87837f84cff6aaa529c7a54fcbae5d446765eb853e5a0fd78ff7b7a2a98fd768

    • SHA512

      dcd362be2509365df975964ba5d1a67568963abf7220a027362bf6d503fd012d0b89e3dd381faf2b48ea0f0e382f54d7124c5e71f2ba6511a365c710050033f0

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Enterprise v6

Tasks