General

  • Target

    5b2b5bb23e955d479a01bcf09da85d5acf6d489cc5c0c4d5c6402101d0a23c2b

  • Size

    1.3MB

  • Sample

    220217-dr286sgde8

  • MD5

    1ae2a5141a15452e1d8fe2dc69e1aa3f

  • SHA1

    bc71e5c5ad7f7a39c4e2008353454d1f523c72b7

  • SHA256

    5b2b5bb23e955d479a01bcf09da85d5acf6d489cc5c0c4d5c6402101d0a23c2b

  • SHA512

    fc556b62431b30623d06af39a5333e56765002429d3505c820cbbe0c85313944533d0bb57c67244ab063231aa407b590c5b5698df6537aa7fdf20e4207c4f640

Malware Config

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Targets

    • Target

      5b2b5bb23e955d479a01bcf09da85d5acf6d489cc5c0c4d5c6402101d0a23c2b

    • Size

      1.3MB

    • MD5

      1ae2a5141a15452e1d8fe2dc69e1aa3f

    • SHA1

      bc71e5c5ad7f7a39c4e2008353454d1f523c72b7

    • SHA256

      5b2b5bb23e955d479a01bcf09da85d5acf6d489cc5c0c4d5c6402101d0a23c2b

    • SHA512

      fc556b62431b30623d06af39a5333e56765002429d3505c820cbbe0c85313944533d0bb57c67244ab063231aa407b590c5b5698df6537aa7fdf20e4207c4f640

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Enterprise v6

Tasks