Overview

overview

10

Static

static

RFQ 17253536373.exe

windows7-x64

3

RFQ 17253536373.exe

windows10-1703-x64

10

RFQ 17253536373.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ 17253536373.exe

  • Size

    1015KB

  • Sample

    221122-nsybqabf77

  • MD5

    f8a2ad4544d211df3b2698e5cecaf2dc

  • SHA1

    b2045de3aaa3c49ebb35f25771d762cf70c5a3fa

  • SHA256

    4fe82d810dd80e56a8e2effdf825a9259a812bc9e14193f22193342bf5e66641

  • SHA512

    fb94796b343d75d98b512e9f2f35fa17a5b33d6a382ba6188671bc232649f0428d969e37d7a2b35a427dea14c697d9ba9e27c9395770412960b2be77ee987ffd

  • SSDEEP

    24576:XM+L74mBfNUstzoxdpt3hvMCggcrf8PAqyU9YH3r8JN:qnt3hrgde9YHI

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

74.119.192.210:5200

Targets

    • Target

      RFQ 17253536373.exe

    • Size

      1015KB

    • MD5

      f8a2ad4544d211df3b2698e5cecaf2dc

    • SHA1

      b2045de3aaa3c49ebb35f25771d762cf70c5a3fa

    • SHA256

      4fe82d810dd80e56a8e2effdf825a9259a812bc9e14193f22193342bf5e66641

    • SHA512

      fb94796b343d75d98b512e9f2f35fa17a5b33d6a382ba6188671bc232649f0428d969e37d7a2b35a427dea14c697d9ba9e27c9395770412960b2be77ee987ffd

    • SSDEEP

      24576:XM+L74mBfNUstzoxdpt3hvMCggcrf8PAqyU9YH3r8JN:qnt3hrgde9YHI

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Executes dropped EXE

    • Sets DLL path for service in the registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies WinLogon

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v6

Tasks