Overview

overview

10

Static

static

PO 181084.exe

windows7_x64

10

PO 181084.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1ec1bdf770161f455266bc10b97a1af6441b391995e96bf93492c102cd299d32

  • Size

    495KB

  • Sample

    220521-pa47zsabdm

  • MD5

    25d1c40227a6d9c8f1396fbc09ba5d8a

  • SHA1

    e19e820586ef5789b4f208fd83d4041a451a8dbf

  • SHA256

    1ec1bdf770161f455266bc10b97a1af6441b391995e96bf93492c102cd299d32

  • SHA512

    d235720162a5095ebeff007dd9e90aac652e3e97bc7f990730f3354d8a4d10f10c0fcb1ea1a8689c78ac7dff3e7977eba2fc3a2a8da873e5f6679374df15a52e

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

158.69.115.206:5200

Targets

    • Target

      PO 181084.exe

    • Size

      643KB

    • MD5

      e61dffb557266167a4b9c244c8c8a699

    • SHA1

      7e0b819ba7163f7837a5fedb9d4f0cf28050a02b

    • SHA256

      20573eab37017ad0c5ad37228fdcc5e6f5c64dddbb275f50ee4dcc8dc3d43145

    • SHA512

      4bc7d31c2b701eb6350c8eb14f9b7c9e9671482d487962474f8ea061b8bd7bac27165321e4837880ff7a103e9c32ae2c74f135daf43847f9e5748969c7b0a1f6

    Score
    10/10
    warzoneratinfostealerrat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks