General

  • Target

    1376df41ef75f22b8d35a4407c9aa23789e82c5b49bbef3cba7406bafa067122

  • Size

    219KB

  • Sample

    230223-fdjk1sgf5s

  • MD5

    c60f1da307389c105e1aa8cb22992413

  • SHA1

    a0cee0c49a307c9d4703c7a722f8632d1ee1f7ec

  • SHA256

    1376df41ef75f22b8d35a4407c9aa23789e82c5b49bbef3cba7406bafa067122

  • SHA512

    e5dd9393c01d6ff2d0ccc976769e1bf98648bcfbc77084e02158fe1b5b9712ad17dfa5abf57af18856a2e7bc1c03551d79c0345b1919aa426ec6c05f66b0d85b

  • SSDEEP

    3072:2fY/TU9fE9PEtuPbr6IHtXFt7mWfz0V8WbBX/bXHMMmYIjhhuajn22jDYZFauPfI:gYa6JrFDhn783bBPgVYIjbuajFXuHwxf

Malware Config

Extracted

Family

warzonerat

C2

blackroots7.duckdns.org:1104

Targets

    • Target

      1376df41ef75f22b8d35a4407c9aa23789e82c5b49bbef3cba7406bafa067122

    • Size

      219KB

    • MD5

      c60f1da307389c105e1aa8cb22992413

    • SHA1

      a0cee0c49a307c9d4703c7a722f8632d1ee1f7ec

    • SHA256

      1376df41ef75f22b8d35a4407c9aa23789e82c5b49bbef3cba7406bafa067122

    • SHA512

      e5dd9393c01d6ff2d0ccc976769e1bf98648bcfbc77084e02158fe1b5b9712ad17dfa5abf57af18856a2e7bc1c03551d79c0345b1919aa426ec6c05f66b0d85b

    • SSDEEP

      3072:2fY/TU9fE9PEtuPbr6IHtXFt7mWfz0V8WbBX/bXHMMmYIjhhuajn22jDYZFauPfI:gYa6JrFDhn783bBPgVYIjbuajFXuHwxf

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks