General

  • Target

    New order No 09052622.zip

  • Size

    192KB

  • Sample

    230223-srmaaaab5t

  • MD5

    456d3018973f9e8d547f2e025f125bbc

  • SHA1

    a002259adab0e4806f788db67db72958f0c0c45d

  • SHA256

    0dc43c6b572e28d5744fcf9620589793255a2084069dc447c6c7904bb6f7a005

  • SHA512

    914b8687039896f1bbbb3e74ea11a0391da93b0de85bd05d0dcb689910dfa6e2120a112339027537da85f1bd0d2b2fe4d77ee273657f08e325dfa7923a02a947

  • SSDEEP

    6144:V2CBOpCXSxLe+myFxMi7XwC6bvmtjzAvB:0CBeCXSrMi7PJtoB

Malware Config

Extracted

Family

warzonerat

C2

telenaxty.ddns.net:7706

Targets

    • Target

      New order No 09052622.exe

    • Size

      207KB

    • MD5

      29d35b6cc964c0fb669083ce180d4210

    • SHA1

      18206e7f0677a8b4a15a20db2e6baa0f1bc4e8ee

    • SHA256

      36cb5ed800f2c0206233ec5d4d797545da3ab91290c1291347ccae0ca768c369

    • SHA512

      c2afe012d397a081e3f790191c79bf4966f28d9882daa51de37e8708e8d4722bfcd2d63bc7346d9960fb753f34c1a229d0ab82e6005af2b5fc12b0e3838d1757

    • SSDEEP

      6144:TYa6Re3BwxZeMmyF5Mi73wC6ZFmtZZvvE:TYDyBwtMi7vJtXE

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks