General

  • Target

    86a0319248cd02a1ef950399b961c5a560b1695eceb352258f02b73bd5c3c260

  • Size

    1.3MB

  • Sample

    220217-aaf3tsfhaq

  • MD5

    893a5605eaee11e10b2234edd8ef0571

  • SHA1

    1b53e5e2cbe2368f37411b83e989e6d17310ffbc

  • SHA256

    86a0319248cd02a1ef950399b961c5a560b1695eceb352258f02b73bd5c3c260

  • SHA512

    1c2c45534a60f05848b739b24641980b3abaf1dbd10d6ba20a5995c31850e2a313ebe9107a35ffa67e1777c7f72147abbd22575ed3dbbc850e9f4c831582e46e

Malware Config

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Targets

    • Target

      86a0319248cd02a1ef950399b961c5a560b1695eceb352258f02b73bd5c3c260

    • Size

      1.3MB

    • MD5

      893a5605eaee11e10b2234edd8ef0571

    • SHA1

      1b53e5e2cbe2368f37411b83e989e6d17310ffbc

    • SHA256

      86a0319248cd02a1ef950399b961c5a560b1695eceb352258f02b73bd5c3c260

    • SHA512

      1c2c45534a60f05848b739b24641980b3abaf1dbd10d6ba20a5995c31850e2a313ebe9107a35ffa67e1777c7f72147abbd22575ed3dbbc850e9f4c831582e46e

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Enterprise v6

Tasks