General

  • Target

    4000bda87d72459675f2ba2850c850bf.exe

  • Size

    202KB

  • Sample

    230222-q3jbnabh48

  • MD5

    4000bda87d72459675f2ba2850c850bf

  • SHA1

    b22ba9c83a79d3a9af894a020623c71552482345

  • SHA256

    f60ea0e9fc88d4de1c25942a4f62dc6ad804af599a083da1595ec02db53bdb19

  • SHA512

    8c217dc14d50edac2b4eb06cbf362b7ac1565162ed996a80207863e627a1dc7ba15a2692efb5b42efdf0dd653d9a76da6969c8dd5a53d6f0e05b756453a4a587

  • SSDEEP

    6144:AYa6eV4tW6hml8wKlHFLhBW7WIcJ/Uq1n:AYgQ1Zw2iunN

Malware Config

Extracted

Family

warzonerat

C2

blackroots7.duckdns.org:1104

Targets

    • Target

      4000bda87d72459675f2ba2850c850bf.exe

    • Size

      202KB

    • MD5

      4000bda87d72459675f2ba2850c850bf

    • SHA1

      b22ba9c83a79d3a9af894a020623c71552482345

    • SHA256

      f60ea0e9fc88d4de1c25942a4f62dc6ad804af599a083da1595ec02db53bdb19

    • SHA512

      8c217dc14d50edac2b4eb06cbf362b7ac1565162ed996a80207863e627a1dc7ba15a2692efb5b42efdf0dd653d9a76da6969c8dd5a53d6f0e05b756453a4a587

    • SSDEEP

      6144:AYa6eV4tW6hml8wKlHFLhBW7WIcJ/Uq1n:AYgQ1Zw2iunN

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks