General

  • Target

    96c82b3b09009b6705a261a639310b30.exe

  • Size

    226KB

  • Sample

    230227-ty883aee85

  • MD5

    96c82b3b09009b6705a261a639310b30

  • SHA1

    d4f103a21e1424a48813bc9aefc3b1fe59ed4c60

  • SHA256

    d094cf97104aeb8329fe0d30aaac1defe237c4f05fd57bf5f06c141818143ad4

  • SHA512

    110a1ea51ed7a1eff4d54b92f9aec3970e82c3d980a46ac0e7d7bc9b1211bf71fe4b347824573ff8f4765f6a0eb3a8f93808b8f32fbeda4305b51a264251aef4

  • SSDEEP

    3072:WfY/TU9fE9PEtuNbDNNG1mTfInt+S3vJXjqIYA9jwdUGZZFYzgIytf9wXfXsXCQP:AYa6j5NGUAndfljgAKPIytf96PEgsX

Malware Config

Extracted

Family

warzonerat

C2

blackroots7.duckdns.org:1104

Targets

    • Target

      96c82b3b09009b6705a261a639310b30.exe

    • Size

      226KB

    • MD5

      96c82b3b09009b6705a261a639310b30

    • SHA1

      d4f103a21e1424a48813bc9aefc3b1fe59ed4c60

    • SHA256

      d094cf97104aeb8329fe0d30aaac1defe237c4f05fd57bf5f06c141818143ad4

    • SHA512

      110a1ea51ed7a1eff4d54b92f9aec3970e82c3d980a46ac0e7d7bc9b1211bf71fe4b347824573ff8f4765f6a0eb3a8f93808b8f32fbeda4305b51a264251aef4

    • SSDEEP

      3072:WfY/TU9fE9PEtuNbDNNG1mTfInt+S3vJXjqIYA9jwdUGZZFYzgIytf9wXfXsXCQP:AYa6j5NGUAndfljgAKPIytf96PEgsX

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks