General

  • Target

    tmp

  • Size

    153KB

  • Sample

    220728-nxmqsagaal

  • MD5

    74cf39132e2b3d825a2f6c0b9cd4ba90

  • SHA1

    df674c8c6156698be10c0285fb3bc56a2daab533

  • SHA256

    b32a1e21f9941f2e70fac915af9cea3add6f859b8ccca73cc5aadf369af3ae1c

  • SHA512

    a6794a1b3ee3a374724a25a092f855460c9fc5cba002f7b414152ca8314ecaf1ee97b1e79d2c69cf768a589367a1af22ae49cf882a24558c3bde9e7b37de8d06

Malware Config

Extracted

Family

warzonerat

C2

dropy1.ddns.net:5200

Targets

    • Target

      tmp

    • Size

      153KB

    • MD5

      74cf39132e2b3d825a2f6c0b9cd4ba90

    • SHA1

      df674c8c6156698be10c0285fb3bc56a2daab533

    • SHA256

      b32a1e21f9941f2e70fac915af9cea3add6f859b8ccca73cc5aadf369af3ae1c

    • SHA512

      a6794a1b3ee3a374724a25a092f855460c9fc5cba002f7b414152ca8314ecaf1ee97b1e79d2c69cf768a589367a1af22ae49cf882a24558c3bde9e7b37de8d06

    • Modifies system executable filetype association

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks