General

  • Target

    62c975e3054e091dd2effcea135d71a27acf91162f01902b867baed16f1ac213

  • Size

    1.3MB

  • Sample

    220217-cwspvsfhh9

  • MD5

    c40a3ceef6e210141f79baae5254feae

  • SHA1

    2acf5ad83cbeaf0dd42952c3ca05f84d157288b1

  • SHA256

    62c975e3054e091dd2effcea135d71a27acf91162f01902b867baed16f1ac213

  • SHA512

    0616bb2fb010747b76f1a20acbbf626b7a0f8b1f8d01266d28f174518fce75a4448c7a87543890d8b95d6cdfe9e52f1c1f3f744e504025793aaefa86a4cf072b

Malware Config

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Targets

    • Target

      62c975e3054e091dd2effcea135d71a27acf91162f01902b867baed16f1ac213

    • Size

      1.3MB

    • MD5

      c40a3ceef6e210141f79baae5254feae

    • SHA1

      2acf5ad83cbeaf0dd42952c3ca05f84d157288b1

    • SHA256

      62c975e3054e091dd2effcea135d71a27acf91162f01902b867baed16f1ac213

    • SHA512

      0616bb2fb010747b76f1a20acbbf626b7a0f8b1f8d01266d28f174518fce75a4448c7a87543890d8b95d6cdfe9e52f1c1f3f744e504025793aaefa86a4cf072b

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Enterprise v6

Tasks