General

  • Target

    78c4d7d8d7d5ecc0e3ebfc55e1d905498922be5416352f31babbdfe6053fa8b6

  • Size

    1.3MB

  • Sample

    220217-arq95agbam

  • MD5

    04543e2a8a287dbbc0e08f0e371a124d

  • SHA1

    2260a0ea326dddd10f49a5dce28990cfb6932272

  • SHA256

    78c4d7d8d7d5ecc0e3ebfc55e1d905498922be5416352f31babbdfe6053fa8b6

  • SHA512

    7f9cb93d5e85cbf09836882ec7e797f9f357e6815d90c02d762cb97ea5232a3d958d42302ffc683471a1cbb85cae632e2e0d1906b471f6a4375d3fcf3b182108

Malware Config

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Targets

    • Target

      78c4d7d8d7d5ecc0e3ebfc55e1d905498922be5416352f31babbdfe6053fa8b6

    • Size

      1.3MB

    • MD5

      04543e2a8a287dbbc0e08f0e371a124d

    • SHA1

      2260a0ea326dddd10f49a5dce28990cfb6932272

    • SHA256

      78c4d7d8d7d5ecc0e3ebfc55e1d905498922be5416352f31babbdfe6053fa8b6

    • SHA512

      7f9cb93d5e85cbf09836882ec7e797f9f357e6815d90c02d762cb97ea5232a3d958d42302ffc683471a1cbb85cae632e2e0d1906b471f6a4375d3fcf3b182108

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Enterprise v6

Tasks