General

  • Target

    9821bd259525a3cae468c2bade973ec2.exe

  • Size

    587KB

  • Sample

    221101-nxaffscedj

  • MD5

    9821bd259525a3cae468c2bade973ec2

  • SHA1

    07097112545f1e61179bf9d5e5b590b6ee5d213f

  • SHA256

    6c9481335cdf4592ab8592c78b4520138888538f124cb6b6928503c274eefddd

  • SHA512

    2ac199c89999cdb51b76d4969d36f554101fc28144daee8e0be8a332899253cbbab107dd9890164a107ff488619fd454a5a94d0397a33b32ad54ebf6e7b9331a

  • SSDEEP

    12288:b1h77SsjAScLJopzdtZtGi6IKysie3fRDEpfsAIHn:HSC2etWIHePxEpfsAkn

Malware Config

Extracted

Family

warzonerat

C2

45.87.62.181:6532

Targets

    • Target

      9821bd259525a3cae468c2bade973ec2.exe

    • Size

      587KB

    • MD5

      9821bd259525a3cae468c2bade973ec2

    • SHA1

      07097112545f1e61179bf9d5e5b590b6ee5d213f

    • SHA256

      6c9481335cdf4592ab8592c78b4520138888538f124cb6b6928503c274eefddd

    • SHA512

      2ac199c89999cdb51b76d4969d36f554101fc28144daee8e0be8a332899253cbbab107dd9890164a107ff488619fd454a5a94d0397a33b32ad54ebf6e7b9331a

    • SSDEEP

      12288:b1h77SsjAScLJopzdtZtGi6IKysie3fRDEpfsAIHn:HSC2etWIHePxEpfsAkn

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks