Overview

overview

10

Static

static

RFQ0230180...lx.exe

windows7-x64

10

RFQ0230180...lx.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ023018000171984CW289170-A & CW20145344323443-xslx.iso

  • Size

    416KB

  • Sample

    221001-ztjqhagfdl

  • MD5

    945e6eae3156706c5483152ac3c14f8b

  • SHA1

    3cbab96e5d25a07e67e8d6f86b553986828a6116

  • SHA256

    68c72a9af569a7153e51d7bd7c99571232a7955967a07a910680865afbbb0afb

  • SHA512

    d43f98ca05b8e7c4cd69e2ca971b33365abb2fc6a08bc8f3533fc2c3b41f12d07703045fdc1d607c878f8bb2cf6d5c4c4ab4e00c4cf1ddabef061498a8963c97

  • SSDEEP

    3072:M/ies1pdcWyMCD5qfa0IJD59YR+umhBbHVrqAd8i9uBs71hEbaFSkjiRrP6Aq:MqLDTClqfa0IxzYR+5hBzAAugqFa+

Score
10/10
warzoneratcollectionevasioninfostealerpersistenceratupx

Malware Config

Extracted

Family

warzonerat

C2

81.161.229.75:5200

Targets

    • Target

      RFQ023018000171984CW289170-A & CW20145344323443-xslx.exe

    • Size

      355KB

    • MD5

      e2fdeb0871673296aad75a0e2b26276d

    • SHA1

      0a5e24e2270ca08b763348784dd3b76bd9620c8b

    • SHA256

      089e22b0800e63398322f535240d8043b8d7e4a561245718ed5bf88fbb22e799

    • SHA512

      20c61659d19e59aac8571e3f93429f01e4b82d523d7ae7e594063f3c2e923f30bf2b5b2c6ec956ad5d5411b0e2b0107e1e135fb355c6bbeffef67d3e3c7e93f9

    • SSDEEP

      3072:4/ies1pdcWyMCD5qfa0IJD59YR+umhBbHVrqAd8i9uBs71hEbaFSkjiRrP6Aq:4qLDTClqfa0IxzYR+5hBzAAugqFa+

    Score
    10/10
    warzoneratcollectionevasioninfostealerpersistenceratupx

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT payload

      rat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets DLL path for service in the registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks