General

  • Target

    6268aa7baf3e305e3719837676a68beb.exe

  • Size

    465KB

  • Sample

    230228-bt375sgf61

  • MD5

    6268aa7baf3e305e3719837676a68beb

  • SHA1

    a55a03d01304c4b9b95898b48411014bb2356a32

  • SHA256

    8bda08d3f496963bfe69b61b77363ea31352ca56a56ccfbc8b17b86a6ada2bc3

  • SHA512

    36fe7cf1a65bd7d3fd8b33c433e4b61cb74be2452857f2f9be68253215b5824994107d1ba8715ce49da6855907856a0f8336a8ff15769284ab4f693d477ad941

  • SSDEEP

    12288:g3cNEybixPz7WS60tY8E+uMxALTPhc027husFmS11nhoe0:Uxxr7WS60tjE+XAHC0OEsFZ1ye0

Malware Config

Extracted

Family

warzonerat

C2

193.42.33.27:5200

Targets

    • Target

      6268aa7baf3e305e3719837676a68beb.exe

    • Size

      465KB

    • MD5

      6268aa7baf3e305e3719837676a68beb

    • SHA1

      a55a03d01304c4b9b95898b48411014bb2356a32

    • SHA256

      8bda08d3f496963bfe69b61b77363ea31352ca56a56ccfbc8b17b86a6ada2bc3

    • SHA512

      36fe7cf1a65bd7d3fd8b33c433e4b61cb74be2452857f2f9be68253215b5824994107d1ba8715ce49da6855907856a0f8336a8ff15769284ab4f693d477ad941

    • SSDEEP

      12288:g3cNEybixPz7WS60tY8E+uMxALTPhc027husFmS11nhoe0:Uxxr7WS60tjE+XAHC0OEsFZ1ye0

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks