General

  • Target

    a604be01cfee0dd2f3fdb6af8ed840668908d2dd268d2564486b4390d5eab66e

  • Size

    327KB

  • Sample

    221206-cq531abf2t

  • MD5

    e16edffaa9687714e5f9ebb9220f44fd

  • SHA1

    847f729d7d68bcb6746cc82295878b0cabf33388

  • SHA256

    a604be01cfee0dd2f3fdb6af8ed840668908d2dd268d2564486b4390d5eab66e

  • SHA512

    f6f74d4975cbfeab7ed269619795b7f46d818fa2409c6f42bb6d3677e0785612bc900a943ede907396289b899e2a39ed18031049bab9636b6873ed350433ba19

  • SSDEEP

    6144:PBnxm/hZudIIuLpkyzypTJUwdYO+HDIG4jcE:LzdIZpkplVGfHDIHjf

Malware Config

Extracted

Family

warzonerat

C2

baramac.duckdns.org:6269

Targets

    • Target

      a604be01cfee0dd2f3fdb6af8ed840668908d2dd268d2564486b4390d5eab66e

    • Size

      327KB

    • MD5

      e16edffaa9687714e5f9ebb9220f44fd

    • SHA1

      847f729d7d68bcb6746cc82295878b0cabf33388

    • SHA256

      a604be01cfee0dd2f3fdb6af8ed840668908d2dd268d2564486b4390d5eab66e

    • SHA512

      f6f74d4975cbfeab7ed269619795b7f46d818fa2409c6f42bb6d3677e0785612bc900a943ede907396289b899e2a39ed18031049bab9636b6873ed350433ba19

    • SSDEEP

      6144:PBnxm/hZudIIuLpkyzypTJUwdYO+HDIG4jcE:LzdIZpkplVGfHDIHjf

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks