General

  • Target

    RFQ 28022023_02.img

  • Size

    508KB

  • Sample

    230228-p196xsba5w

  • MD5

    21eea37590426eca65ece1cb2cb3d889

  • SHA1

    fac056c016c6c17709118bfa177de23caf6403ce

  • SHA256

    4cbaf9537a032d23b749fa6843304610efb169b77f66f4fe38c7722b5d9c9fcc

  • SHA512

    1ff86abb4bc5ebb399767f8c7be798b21167d0f3d248778d943471efc87eff38ee1e64b3b84f9ca83eca6ea248993415e9bdd53e7d5998121d3b30c50ed9be61

  • SSDEEP

    12288:ZU4oDV9iCI43WAIp2FsyjMIOgy2Wx/zEhfkhqqgSQ:ZUnjid43WAqmJNWx/AKw/

Malware Config

Extracted

Family

warzonerat

C2

5.2.68.82:1198

Targets

    • Target

      RFQ 28022023_02.exe

    • Size

      457KB

    • MD5

      b02208089c3b213ddd70b428ba058bbe

    • SHA1

      c7f2c54cafc45ef509729e13daa327e454151238

    • SHA256

      9e81a9931fe17d6bfad93f3911e0173232a7c0152917f5982ccacd1fde452b77

    • SHA512

      d24c56b964690bbf608878d6f2ac53c8fa2613291d530e41681956ea30af620274bb56602df3d037837a13574efddc253f5831a299f8689dad27ad72189492fb

    • SSDEEP

      12288:tU4oDV9iCI43WAIp2FsyjMIOgy2Wx/zEhfkhqqgSQ:tUnjid43WAqmJNWx/AKw/

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks