General

  • Target

    79c730694b0df899e39b8cfcfcf610f7d25bc191512b3287e55fdbc1a39d1e01

  • Size

    1.3MB

  • Sample

    220217-aqpd5sgahl

  • MD5

    a5d59151fbe269c3f50dfa241cad9cdd

  • SHA1

    ec896e5d0758c1a29a763a988c77334f12430432

  • SHA256

    79c730694b0df899e39b8cfcfcf610f7d25bc191512b3287e55fdbc1a39d1e01

  • SHA512

    03aebec9e30855cf77f38016b7f687452a203ed8399d1cf65d08f8c36263a4987f0e16c8c26477c1bef6cdfcbefe177d7ac90971bd7643a907f1278bfe7a3ce9

Malware Config

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Targets

    • Target

      79c730694b0df899e39b8cfcfcf610f7d25bc191512b3287e55fdbc1a39d1e01

    • Size

      1.3MB

    • MD5

      a5d59151fbe269c3f50dfa241cad9cdd

    • SHA1

      ec896e5d0758c1a29a763a988c77334f12430432

    • SHA256

      79c730694b0df899e39b8cfcfcf610f7d25bc191512b3287e55fdbc1a39d1e01

    • SHA512

      03aebec9e30855cf77f38016b7f687452a203ed8399d1cf65d08f8c36263a4987f0e16c8c26477c1bef6cdfcbefe177d7ac90971bd7643a907f1278bfe7a3ce9

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Enterprise v6

Tasks