Overview

overview

10

Static

static

Purchase O...ng.exe

windows7_x64

10

Purchase O...ng.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    17a8d463bf6d5435553a5fe9c1dcc631fd0a0cbf596dd9f9ea4849a4d0cf539f

  • Size

    268KB

  • Sample

    220521-ntewrseba6

  • MD5

    98e35666150217d3d6805bccd15a71cc

  • SHA1

    b5ee892aec9af6518755dbfd83c0a12f4199fc03

  • SHA256

    17a8d463bf6d5435553a5fe9c1dcc631fd0a0cbf596dd9f9ea4849a4d0cf539f

  • SHA512

    0b8256cccd1a5f15d8b2348af258d119a8b1be602f1b8a6e778eab16ca0d25acee03a65ed7a8ff2a75ae6ddee337a0e11570919eca486cbe9742fe33ebd492c6

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

chefdnshot.ddns.net:40951

Targets

    • Target

      Purchase Order Sample drawing.exe

    • Size

      317KB

    • MD5

      0d1e129def7836f7f432905af5852147

    • SHA1

      4fa4432ef17fe1800612686e324b66f6f22ecc88

    • SHA256

      79c839a4e34b76c27eeae91d61a5d2a3a2c218e85b713751fef954579c981e00

    • SHA512

      3960ea13958baa645579c1dad89a4ddaa60a84d4b5c85f54aba1e0f1d83ec26478b199c3011f38762c6efb755e279721a3f73e04657190fe428fcf923ec5ed38

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks