General

  • Target

    57459ada14141ab193bc39e4dbad589ba418be4c43e2527d1b982ced02ed7a4a

  • Size

    2.4MB

  • Sample

    221130-wphqvscf35

  • MD5

    01a2d25e63ace2d3f261d2825775c594

  • SHA1

    7830e1ff5e37b7540715c2b35d4bc907ddbb9e95

  • SHA256

    57459ada14141ab193bc39e4dbad589ba418be4c43e2527d1b982ced02ed7a4a

  • SHA512

    b103756fa77f9cbb4d512067d3282e7226785491b37ad2956238984342e7ed83fa61d14d2929e078f3a83ac0d3a6c88602553544729892c1ea85ec334e97859f

  • SSDEEP

    49152:Pr519tIlXSPQe3dalZMgY5q0dEfatCTyM:lTt2XSP2ZMgY5q0dEN

Malware Config

Extracted

Family

warzonerat

C2

ebase.duckdns.org:5200

Targets

    • Target

      57459ada14141ab193bc39e4dbad589ba418be4c43e2527d1b982ced02ed7a4a

    • Size

      2.4MB

    • MD5

      01a2d25e63ace2d3f261d2825775c594

    • SHA1

      7830e1ff5e37b7540715c2b35d4bc907ddbb9e95

    • SHA256

      57459ada14141ab193bc39e4dbad589ba418be4c43e2527d1b982ced02ed7a4a

    • SHA512

      b103756fa77f9cbb4d512067d3282e7226785491b37ad2956238984342e7ed83fa61d14d2929e078f3a83ac0d3a6c88602553544729892c1ea85ec334e97859f

    • SSDEEP

      49152:Pr519tIlXSPQe3dalZMgY5q0dEfatCTyM:lTt2XSP2ZMgY5q0dEN

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks