General

  • Target

    0269b81f75aa1101e557c3ebb49eb4c5

  • Size

    219KB

  • Sample

    230224-bp2thshg34

  • MD5

    0269b81f75aa1101e557c3ebb49eb4c5

  • SHA1

    67412ee26893ec720e4ae7734026047aafd8f58b

  • SHA256

    49ff2c2f0c21aa26f9ee4357241cdd347278ebacb5f343e34e71b431c891f7b7

  • SHA512

    79d957ba94f4bc73202f837894b81288aef3adb45f6d114b3cc1ad85dbd19533e4010ba0f9fefc260e5aeae431cd11d36e1b31f06f837c19f4b1b03b752c39d7

  • SSDEEP

    3072:WfY/TU9fE9PEtuTbJd1LgNtkoyj162pk7DdpFiUBnXJPVS9Zhj5h0hDUUCQn5+a6:AYa6F311516fDdhRXpVsNytUlQnDvS

Malware Config

Extracted

Family

warzonerat

C2

blackroots7.duckdns.org:1104

Targets

    • Target

      0269b81f75aa1101e557c3ebb49eb4c5

    • Size

      219KB

    • MD5

      0269b81f75aa1101e557c3ebb49eb4c5

    • SHA1

      67412ee26893ec720e4ae7734026047aafd8f58b

    • SHA256

      49ff2c2f0c21aa26f9ee4357241cdd347278ebacb5f343e34e71b431c891f7b7

    • SHA512

      79d957ba94f4bc73202f837894b81288aef3adb45f6d114b3cc1ad85dbd19533e4010ba0f9fefc260e5aeae431cd11d36e1b31f06f837c19f4b1b03b752c39d7

    • SSDEEP

      3072:WfY/TU9fE9PEtuTbJd1LgNtkoyj162pk7DdpFiUBnXJPVS9Zhj5h0hDUUCQn5+a6:AYa6F311516fDdhRXpVsNytUlQnDvS

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks