f2a5985b57a7f349270f65bc5cfc3b5c4d901121533e1ce3f474e04840c24561

General
Target

f2a5985b57a7f349270f65bc5cfc3b5c4d901121533e1ce3f474e04840c24561

Size

272KB

Sample

220521-xfj31aehgj

Score
10 /10
MD5

6bce49036d5d14c9bee2c446fd975794

SHA1

029c46f328fbff9333b02b3f7452d04cd8a119a5

SHA256

f2a5985b57a7f349270f65bc5cfc3b5c4d901121533e1ce3f474e04840c24561

SHA512

72ae81f76819ee21b2f7c633753b3fd038789e784ccb9c4ca20f92adc7bd41c4cf56fc134e2593a7c7622b23d05ecddef31268b93c0b27109ec28812ccf8ca18

Malware Config

Extracted

Family warzonerat
C2

kingmeth.ddns.net:2065
Targets
Target

Urgent Inquiry___289812.exe

MD5

7777daa2b9545090156a898d5131521c

Filesize

568KB

Score
10/10
SHA1

f3657d37012ca0daae9e4287568b68c1b2220a60

SHA256

cb1f5aab744ba7964f5a04e4e7b606843b1914346594ebfc36d95d7296936d2e

SHA512

4a4fdc1ab7ce776fd97abd0e43f646fc093bfaaa3eb0660bf9a22cc0321d67d2b95eccf6bd64591eaafedffcbd9ec7e021ecb50f90f6fcfe271f9fbfdf2f2271

Tags

Signatures

  • WarzoneRat, AveMaria

    Description

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    Tags

  • Warzone RAT Payload

    Tags

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry

  • Suspicious use of SetThreadContext

Related Tasks

behavioral1behavioral2
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation
                      Tasks

                      static1

                      10/10

                      behavioral1

                      10/10

                      behavioral2

                      6/10