General

  • Target

    856b6a4947e1b0c30ceecd54c218a5126838344c17405b64294bf7910a316d06

  • Size

    1.3MB

  • Sample

    220217-abzassefe4

  • MD5

    2db07842ff7f17bca5b7fa222b0fb2bf

  • SHA1

    33055d2e37b7d42dc744c579e8daea21f5bf79f8

  • SHA256

    856b6a4947e1b0c30ceecd54c218a5126838344c17405b64294bf7910a316d06

  • SHA512

    14be10d71d64bfe6c17f62b84229b73b48ea23c85d59eb7a35613c58ad23a157fee67281371a84cfb8253af0907f74a0fe449112458be5156965ba4642bd0690

Malware Config

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Targets

    • Target

      856b6a4947e1b0c30ceecd54c218a5126838344c17405b64294bf7910a316d06

    • Size

      1.3MB

    • MD5

      2db07842ff7f17bca5b7fa222b0fb2bf

    • SHA1

      33055d2e37b7d42dc744c579e8daea21f5bf79f8

    • SHA256

      856b6a4947e1b0c30ceecd54c218a5126838344c17405b64294bf7910a316d06

    • SHA512

      14be10d71d64bfe6c17f62b84229b73b48ea23c85d59eb7a35613c58ad23a157fee67281371a84cfb8253af0907f74a0fe449112458be5156965ba4642bd0690

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Enterprise v6

Tasks