General

  • Size

    951KB

  • Sample

    220923-g92xxaddb9

  • MD5

    87b246b26208a9831a4372664c518c2c

  • SHA1

    1599cbf0ee49dcb787866fbb7c297094ecd3ab4f

  • SHA256

    27fd2ab0bbd65cbe5625932fa7ab1f484a06cbdff8868129f10cd92321d99daf

  • SHA512

    4e7f5a217dbcd34eaadf867cd75acb23ae01730794ae8ac23a2428be5160fa8dff78b5b3e202a1e898e73126cea4fe19bf6a9f6457d136433d61e16435d69ff1

Malware Config

Extracted

Family

warzonerat

C2

20.126.95.155:7800

Targets

    • Target

      27fd2ab0bbd65cbe5625932fa7ab1f484a06cbdff8868129f10cd92321d99daf

    • Size

      951KB

    • MD5

      87b246b26208a9831a4372664c518c2c

    • SHA1

      1599cbf0ee49dcb787866fbb7c297094ecd3ab4f

    • SHA256

      27fd2ab0bbd65cbe5625932fa7ab1f484a06cbdff8868129f10cd92321d99daf

    • SHA512

      4e7f5a217dbcd34eaadf867cd75acb23ae01730794ae8ac23a2428be5160fa8dff78b5b3e202a1e898e73126cea4fe19bf6a9f6457d136433d61e16435d69ff1

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                    Privilege Escalation