Overview

overview

10

Static

static

PO45351SBY...df.exe

windows7_x64

10

PO45351SBY...df.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f2b3165eb4622865b540b23e6dc5300222d402140266d8263bf2c6fbfb4b9e9f

  • Size

    114KB

  • Sample

    220521-ntssmahcan

  • MD5

    03ed5eb215ccc186544bd087a00fbfd3

  • SHA1

    b11cf6d99a121837423bee44ee8a86b569a303a9

  • SHA256

    f2b3165eb4622865b540b23e6dc5300222d402140266d8263bf2c6fbfb4b9e9f

  • SHA512

    61f42c09e1c444a69b77482e732d9693c5d551f7c7a917a6095404d228047983ec6cbed99b89868f2e3295cf5648f53c2b5681262601bf7a64ba451afa03922b

Score
10/10
warzoneratagilenetinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

caebd.ddns.net:8822

Targets

    • Target

      PO45351SBY SP-SENSOR MARS INDONESIAMAKASSAR,pdf.exe

    • Size

      320KB

    • MD5

      aa8450e7c87d140e427ba011cdeb3348

    • SHA1

      6b705fc36699a0c670251a787a1ba474ddc677fa

    • SHA256

      fa925870975e7c53ec50032872d0c8f7aa23d7832658def21887419f288cbd18

    • SHA512

      cc7960501dfe33cb61ff822e3b7815da56916642d0256afa829a2e6f9886738c0033c1d277e407438c24d934593fe17df0347188be7144f10962a8d0a25a8053

    Score
    10/10
    warzoneratagilenetinfostealerrat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks