General

  • Target

    78b2b0c95e1cb5bcad215ec5608a497a3d7a8cb3fab2a28923c5d70ce406b206

  • Size

    1.3MB

  • Sample

    220217-arwvlsehd5

  • MD5

    af70f89c8b0f12d4841a8552f5b9bdb2

  • SHA1

    268633383dec030fcc373db0ca5a47fd084ba177

  • SHA256

    78b2b0c95e1cb5bcad215ec5608a497a3d7a8cb3fab2a28923c5d70ce406b206

  • SHA512

    ec44c90840cb2f8d857ebbb67a551573e8c5a4447e404d223bc8b6fe6a1bb927d8c584c5c7d43739cedcd9af71bde52e2e53599923c4d69d207d9153096d66e5

Malware Config

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Targets

    • Target

      78b2b0c95e1cb5bcad215ec5608a497a3d7a8cb3fab2a28923c5d70ce406b206

    • Size

      1.3MB

    • MD5

      af70f89c8b0f12d4841a8552f5b9bdb2

    • SHA1

      268633383dec030fcc373db0ca5a47fd084ba177

    • SHA256

      78b2b0c95e1cb5bcad215ec5608a497a3d7a8cb3fab2a28923c5d70ce406b206

    • SHA512

      ec44c90840cb2f8d857ebbb67a551573e8c5a4447e404d223bc8b6fe6a1bb927d8c584c5c7d43739cedcd9af71bde52e2e53599923c4d69d207d9153096d66e5

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Enterprise v6

Tasks