Overview

overview

10

Static

static

Ajanlatker...df.exe

windows7-x64

10

Ajanlatker...df.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3c1002fea3af96e1a3931e67241b1ecf.zip

  • Size

    621KB

  • Sample

    220927-md8ngaedan

  • MD5

    3c1002fea3af96e1a3931e67241b1ecf

  • SHA1

    238481c1679e119fbce6453afcb6b62aa349e4d8

  • SHA256

    1dfcccdd32ed323bbe2749f317ce31dc0b9ae06c8972558d76b46df0b437d30e

  • SHA512

    cba32a1f308c3bcce35573e4259b2eafdf8518f0620a19ceb1ad3a2d5e65bdefd97a855f0da104d18e7a8cafef9911fd00c0d95cbe55f91384d77e35ed42e172

  • SSDEEP

    12288:fESIR+qIGxDmjS6tDxFixuqyA1eyxvczVnfO:s7+326tPCneuM9O

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

171.22.30.72:52011

Targets

    • Target

      Ajanlatkeres szam221909·10397·pdf.exe

    • Size

      982KB

    • MD5

      0123b43115849331501c21f58cad8763

    • SHA1

      e14553622a714d9e1fe731ef06b083c5654e6d13

    • SHA256

      aeb049faf805c590ca7125f2eae56483200815aa964b7cb9677d4a5d63b1bcd1

    • SHA512

      fd5eeafded2558f93d5a0b2bae53764f851f892063bed6ac5ed96dae08ad9c5d1c75c6846650e0c2d0f9d8e849e1f342b855e07e78136b715cb171fe703ee630

    • SSDEEP

      12288:6dW/busnDZoRtM/sT7PEWjBtPXF2ruey61e03vcz5nf:+WmtysH8WjBtNuvewMh

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT payload

      rat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks