General

  • Target

    5ae28e269465f91685320e39dec3097cc4f9dca02f103e5ef0859d90fa3ca19b

  • Size

    1.3MB

  • Sample

    220217-dtvxwagdg6

  • MD5

    1590bfa21d83652421d4125ce6a4eef3

  • SHA1

    dcc2f3b8bb19fd65cf982db034ffc053e3d0a4cd

  • SHA256

    5ae28e269465f91685320e39dec3097cc4f9dca02f103e5ef0859d90fa3ca19b

  • SHA512

    b021454f9e2279e652ade23a31e7e7ef7ea8cf12f2f85a9f059bc2835e9b6f2dfd86aca175f4995018fd7c339333ee253f7ad28676e93a084cb58aa84240e4d4

Malware Config

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Targets

    • Target

      5ae28e269465f91685320e39dec3097cc4f9dca02f103e5ef0859d90fa3ca19b

    • Size

      1.3MB

    • MD5

      1590bfa21d83652421d4125ce6a4eef3

    • SHA1

      dcc2f3b8bb19fd65cf982db034ffc053e3d0a4cd

    • SHA256

      5ae28e269465f91685320e39dec3097cc4f9dca02f103e5ef0859d90fa3ca19b

    • SHA512

      b021454f9e2279e652ade23a31e7e7ef7ea8cf12f2f85a9f059bc2835e9b6f2dfd86aca175f4995018fd7c339333ee253f7ad28676e93a084cb58aa84240e4d4

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Enterprise v6

Tasks