General

  • Target

    78093adc07258ecc72ee6a881f2076452eeba032dbbfa9f7e251ddca681da025

  • Size

    1.3MB

  • Sample

    220217-asm9vsehd9

  • MD5

    967cda310ce22f7e17704dfa7d8f8bd7

  • SHA1

    464446e3df090c65fbf11d461ecd6b57d1017046

  • SHA256

    78093adc07258ecc72ee6a881f2076452eeba032dbbfa9f7e251ddca681da025

  • SHA512

    20584160cef64c9d47d154eee330db40a1cc61cc01a5085df727fbc1b0c0bc661cae0047379d4762b490790476e501e6c98a6d1c9e85a86cb68660304cde0ea7

Malware Config

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Targets

    • Target

      78093adc07258ecc72ee6a881f2076452eeba032dbbfa9f7e251ddca681da025

    • Size

      1.3MB

    • MD5

      967cda310ce22f7e17704dfa7d8f8bd7

    • SHA1

      464446e3df090c65fbf11d461ecd6b57d1017046

    • SHA256

      78093adc07258ecc72ee6a881f2076452eeba032dbbfa9f7e251ddca681da025

    • SHA512

      20584160cef64c9d47d154eee330db40a1cc61cc01a5085df727fbc1b0c0bc661cae0047379d4762b490790476e501e6c98a6d1c9e85a86cb68660304cde0ea7

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Enterprise v6

Tasks