General

  • Target

    JOB-in.line e.K. - New Order 56899707.exe

  • Size

    842KB

  • Sample

    220805-kpvvmsabdm

  • MD5

    9e8d620f00f7988a79ae5c1228f37899

  • SHA1

    27e5c643563bfe8dbccf7e26e9669c2cdde8e767

  • SHA256

    7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062

  • SHA512

    39cd5593b238c32e0644448f6e1845760ce1a56f551a97217f2ea72c7ad72725564a2b568166b84712b12b5949a0146d7c355b4756e6985311e0451f5d09f2b0

Malware Config

Extracted

Family

warzonerat

C2

20.91.187.223:5707

Targets

    • Target

      JOB-in.line e.K. - New Order 56899707.exe

    • Size

      842KB

    • MD5

      9e8d620f00f7988a79ae5c1228f37899

    • SHA1

      27e5c643563bfe8dbccf7e26e9669c2cdde8e767

    • SHA256

      7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062

    • SHA512

      39cd5593b238c32e0644448f6e1845760ce1a56f551a97217f2ea72c7ad72725564a2b568166b84712b12b5949a0146d7c355b4756e6985311e0451f5d09f2b0

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks