General

  • Target

    930aa1820fa08d9e2a36b6eb6d24749a.exe

  • Size

    1.0MB

  • Sample

    230228-fsjvbshd91

  • MD5

    930aa1820fa08d9e2a36b6eb6d24749a

  • SHA1

    9c448f1e95610373caa3b9dc61bb6251c7925f92

  • SHA256

    27ad4236669f741a8cb23e2d31854b075244f61bcccbb4b0ab55ee63a708ba45

  • SHA512

    e87cf1dff5b19e9aeb24792f2f47f5d814b889fad0dc8175c25d9a948d9e5d83b189398c0893bf16fb3cdcf5df45db115d7074e61b1b6caed74f7d86c7707395

  • SSDEEP

    24576:N2VL5gh7mViJUXxJfoQQMcOOOTPkBpCtcuVfJYOW:IVL5gQVUUXLQomOyKJYO

Malware Config

Extracted

Family

warzonerat

C2

37.0.14.210:29221

Targets

    • Target

      930aa1820fa08d9e2a36b6eb6d24749a.exe

    • Size

      1.0MB

    • MD5

      930aa1820fa08d9e2a36b6eb6d24749a

    • SHA1

      9c448f1e95610373caa3b9dc61bb6251c7925f92

    • SHA256

      27ad4236669f741a8cb23e2d31854b075244f61bcccbb4b0ab55ee63a708ba45

    • SHA512

      e87cf1dff5b19e9aeb24792f2f47f5d814b889fad0dc8175c25d9a948d9e5d83b189398c0893bf16fb3cdcf5df45db115d7074e61b1b6caed74f7d86c7707395

    • SSDEEP

      24576:N2VL5gh7mViJUXxJfoQQMcOOOTPkBpCtcuVfJYOW:IVL5gQVUUXLQomOyKJYO

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks