General

  • Size

    611KB

  • Sample

    220725-rsz24aehcn

  • MD5

    62ee0d3aebacdbfeaa1b31781398b22c

  • SHA1

    28ea8142385b4c64f8157299d3d44d00244c2e6a

  • SHA256

    61d43a20936f0a0ed8a535e4eb21535009b271f91e62200b29c92dc46d731c64

  • SHA512

    24945a0e303d5ae9854271a93440dbf042e20f45f42d70bb29fd58064ce4f2b66cdc87fa0d2b3440154d74e0fdb3ba6e36c8c89592fade051b07a9a1f967fd47

Malware Config

Extracted

Family

warzonerat

C2

51.75.209.232:5200

Targets

    • Target

      Payment Swift.exe

    • Size

      611KB

    • MD5

      62ee0d3aebacdbfeaa1b31781398b22c

    • SHA1

      28ea8142385b4c64f8157299d3d44d00244c2e6a

    • SHA256

      61d43a20936f0a0ed8a535e4eb21535009b271f91e62200b29c92dc46d731c64

    • SHA512

      24945a0e303d5ae9854271a93440dbf042e20f45f42d70bb29fd58064ce4f2b66cdc87fa0d2b3440154d74e0fdb3ba6e36c8c89592fade051b07a9a1f967fd47

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets DLL path for service in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Modifies WinLogon

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Privilege Escalation