Overview

overview

10

Static

static

Quotation ...DF.exe

windows7_x64

10

Quotation ...DF.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    47fa3d12bbf90ed2c61bf71b5b6c84b78357635377654602b39d1452a297ea7b

  • Size

    384KB

  • Sample

    220521-pxhx9sbdbm

  • MD5

    25efcdf98be2c0a9129de8da1ae55690

  • SHA1

    870e71028a7f273eead1a4e31b4b7a6ddfc1116d

  • SHA256

    47fa3d12bbf90ed2c61bf71b5b6c84b78357635377654602b39d1452a297ea7b

  • SHA512

    c96f00d5049ddc88f1b6f8a956e0c1548de3ff1478cbe7ac51df6d1bcd65fcd531196b47b4f1c515ed8e7829a5212ed85307df37d8b814a9cca0a660874bd2a9

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

45.137.22.143:5200

Targets

    • Target

      Quotation Request_20202605_20202605_20202605PDF.exe

    • Size

      531KB

    • MD5

      b1482e23bdf72a41744c093fbb8240c1

    • SHA1

      158c3f82a524da53d69047a6ea5768ed17fa6fbc

    • SHA256

      9eb63d2c299e7faae7179f56ea8b4c962270a9def733cad4839955d638ac7d00

    • SHA512

      b3f110b3c05168eb734d0250502522ed1c7daab2ec50c705ab90d56d542d5fe285c348a14baa1e3370eb393f8d195138ed654b2356a8aa0a28557f5988fa61a6

    Score
    10/10
    warzoneratinfostealerrat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks