General

  • Target

    e2260c68631c4c1be8b873c859e84a2c9737cb348414b1fb2860a139d781a8b8

  • Size

    1.1MB

  • Sample

    230228-kvmffsae67

  • MD5

    205b7ece70a889f37c1bbf44cd79461a

  • SHA1

    1cb79cf6908f6248189f0c5a850cb2962f096f20

  • SHA256

    e2260c68631c4c1be8b873c859e84a2c9737cb348414b1fb2860a139d781a8b8

  • SHA512

    6d09f68fa9aefe7eb53d9538494a105ff1abd1b7e511dfbafa213cd18d112fa2c1eaa475c15ef68795849cba18fa4abd64d131c83043078c48fb3a4859738f03

  • SSDEEP

    24576:x3gmeVuCA6/+o77dK+NQoUQDx87xgAb/DAfRBUx/6qW:5gmeVua+w7PQc8uADDAfjU1B

Malware Config

Extracted

Family

warzonerat

C2

195.133.40.92:5200

Targets

    • Target

      e2260c68631c4c1be8b873c859e84a2c9737cb348414b1fb2860a139d781a8b8

    • Size

      1.1MB

    • MD5

      205b7ece70a889f37c1bbf44cd79461a

    • SHA1

      1cb79cf6908f6248189f0c5a850cb2962f096f20

    • SHA256

      e2260c68631c4c1be8b873c859e84a2c9737cb348414b1fb2860a139d781a8b8

    • SHA512

      6d09f68fa9aefe7eb53d9538494a105ff1abd1b7e511dfbafa213cd18d112fa2c1eaa475c15ef68795849cba18fa4abd64d131c83043078c48fb3a4859738f03

    • SSDEEP

      24576:x3gmeVuCA6/+o77dK+NQoUQDx87xgAb/DAfRBUx/6qW:5gmeVua+w7PQc8uADDAfjU1B

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks