General

  • Target

    83818d0b790c51003b3f09042f4a8a6f665657f11b43001ed7ebf4728dabf680

  • Size

    1.3MB

  • Sample

    220217-adjccseff4

  • MD5

    817e50ca6790c827ce6ee8d122a151cf

  • SHA1

    260f46c33541119e281a932aaa160c2bb3cf0429

  • SHA256

    83818d0b790c51003b3f09042f4a8a6f665657f11b43001ed7ebf4728dabf680

  • SHA512

    0ff143d30878973ef33f0b1caeb4e60c685ff00378c34519690d10f7b9cafcfc32c76f091e48d3e4c4f4e2c1ed917f4064fbf63c3b98ac9255eae38df4e85d8b

Malware Config

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Targets

    • Target

      83818d0b790c51003b3f09042f4a8a6f665657f11b43001ed7ebf4728dabf680

    • Size

      1.3MB

    • MD5

      817e50ca6790c827ce6ee8d122a151cf

    • SHA1

      260f46c33541119e281a932aaa160c2bb3cf0429

    • SHA256

      83818d0b790c51003b3f09042f4a8a6f665657f11b43001ed7ebf4728dabf680

    • SHA512

      0ff143d30878973ef33f0b1caeb4e60c685ff00378c34519690d10f7b9cafcfc32c76f091e48d3e4c4f4e2c1ed917f4064fbf63c3b98ac9255eae38df4e85d8b

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Enterprise v6

Tasks