General

  • Target

    7997d6a0510d62275ca36d4de4d60f487907e03f590b47391446672c86a71b64

  • Size

    1.3MB

  • Sample

    220217-aqrt9sgahm

  • MD5

    0143207b5a8818842653ef25cf1b2532

  • SHA1

    32ce84111da09dfbc0ca62357162ea1c1067f322

  • SHA256

    7997d6a0510d62275ca36d4de4d60f487907e03f590b47391446672c86a71b64

  • SHA512

    d50854a3948e7fc327334981ec6efcba815fa4eb2a097df10df99a4ead481ae4efff89d84e177ad7a943ebd68751737ad594db4b5dda9c0101a5528fdbe6e8a8

Malware Config

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Targets

    • Target

      7997d6a0510d62275ca36d4de4d60f487907e03f590b47391446672c86a71b64

    • Size

      1.3MB

    • MD5

      0143207b5a8818842653ef25cf1b2532

    • SHA1

      32ce84111da09dfbc0ca62357162ea1c1067f322

    • SHA256

      7997d6a0510d62275ca36d4de4d60f487907e03f590b47391446672c86a71b64

    • SHA512

      d50854a3948e7fc327334981ec6efcba815fa4eb2a097df10df99a4ead481ae4efff89d84e177ad7a943ebd68751737ad594db4b5dda9c0101a5528fdbe6e8a8

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Enterprise v6

Tasks