General

  • Size

    842KB

  • Sample

    220805-kpvvmsabdm

  • MD5

    9e8d620f00f7988a79ae5c1228f37899

  • SHA1

    27e5c643563bfe8dbccf7e26e9669c2cdde8e767

  • SHA256

    7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062

  • SHA512

    39cd5593b238c32e0644448f6e1845760ce1a56f551a97217f2ea72c7ad72725564a2b568166b84712b12b5949a0146d7c355b4756e6985311e0451f5d09f2b0

Malware Config

Extracted

Family

warzonerat

C2

20.91.187.223:5707

Targets

    • Target

      JOB-in.line e.K. - New Order 56899707.exe

    • Size

      842KB

    • MD5

      9e8d620f00f7988a79ae5c1228f37899

    • SHA1

      27e5c643563bfe8dbccf7e26e9669c2cdde8e767

    • SHA256

      7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062

    • SHA512

      39cd5593b238c32e0644448f6e1845760ce1a56f551a97217f2ea72c7ad72725564a2b568166b84712b12b5949a0146d7c355b4756e6985311e0451f5d09f2b0

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                    Privilege Escalation