Overview

overview

10

Static

static

1

1106d5f8e0...64.exe

windows7-x64

10

1106d5f8e0...64.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1106d5f8e093af4ef06b0297fbd31f64.exe

  • Size

    312KB

  • Sample

    221121-3sab8abh34

  • MD5

    1106d5f8e093af4ef06b0297fbd31f64

  • SHA1

    bda37d2687bfd83b3d0b82372e426482676084a7

  • SHA256

    99371e32494bfb38d63bb427cb5f868bbfb1d342e030d3a04ef3b3651eaf8500

  • SHA512

    941ad648289d42f218bc005f400ca251e69b332316c5e1fd833711f2c65a920a0d217ca38d8984fa0c3d3d4112dd49b9bd329926c9e59f08ef368fa5082a8fd9

  • SSDEEP

    3072:WGJSq+ytGIon9KcdNPMKCrG0OQsq6YZon2JjR1Fu89WrvHxAKiOJGp+7Z:9Ea0RU/rGDHpYa2lrFvCRAnOJdZ

Score
10/10
warzoneratcollectioninfostealerratspywarestealer

Malware Config

Extracted

Family

warzonerat

C2

161.129.44.221:9999

Targets

    • Target

      1106d5f8e093af4ef06b0297fbd31f64.exe

    • Size

      312KB

    • MD5

      1106d5f8e093af4ef06b0297fbd31f64

    • SHA1

      bda37d2687bfd83b3d0b82372e426482676084a7

    • SHA256

      99371e32494bfb38d63bb427cb5f868bbfb1d342e030d3a04ef3b3651eaf8500

    • SHA512

      941ad648289d42f218bc005f400ca251e69b332316c5e1fd833711f2c65a920a0d217ca38d8984fa0c3d3d4112dd49b9bd329926c9e59f08ef368fa5082a8fd9

    • SSDEEP

      3072:WGJSq+ytGIon9KcdNPMKCrG0OQsq6YZon2JjR1Fu89WrvHxAKiOJGp+7Z:9Ea0RU/rGDHpYa2lrFvCRAnOJdZ

    Score
    10/10
    warzoneratcollectioninfostealerratspywarestealer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT payload

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks