General

  • Target

    5b20cd95c588522237e4f706c46c111a9323202638db617538dc52c21fbf7d46

  • Size

    1.3MB

  • Sample

    220217-dshwxsgdf5

  • MD5

    77e9978b8f4f238c0100e0fe1afc67e7

  • SHA1

    280ce4dab0568a03557ed9389687f36ec06861d1

  • SHA256

    5b20cd95c588522237e4f706c46c111a9323202638db617538dc52c21fbf7d46

  • SHA512

    0ba9a4a95472ca0428fa0504a5d67e285002c06ddf5c0a4fbfd80579f6e1170c211e1f52bc00af350941d73fcc4ceba1fd1382449d3d48b2185d8b3ae0b2db26

Malware Config

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Targets

    • Target

      5b20cd95c588522237e4f706c46c111a9323202638db617538dc52c21fbf7d46

    • Size

      1.3MB

    • MD5

      77e9978b8f4f238c0100e0fe1afc67e7

    • SHA1

      280ce4dab0568a03557ed9389687f36ec06861d1

    • SHA256

      5b20cd95c588522237e4f706c46c111a9323202638db617538dc52c21fbf7d46

    • SHA512

      0ba9a4a95472ca0428fa0504a5d67e285002c06ddf5c0a4fbfd80579f6e1170c211e1f52bc00af350941d73fcc4ceba1fd1382449d3d48b2185d8b3ae0b2db26

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Enterprise v6

Tasks