General

  • Target

    9313545749.zip

  • Size

    407KB

  • Sample

    230228-tsn1yabg6w

  • MD5

    5f83d4effa275d60640b1366ff5efc3a

  • SHA1

    8b37accc0c1f14084b4e6f6b93121160f52fc4e4

  • SHA256

    7056a74c2e405fa294f9cdc592805fe28f1bc87aa53ef065f8302a42c877a674

  • SHA512

    fe73a79e6ceaf34d1b1a6c76621fc455b5af2125c602da875db7dbddc4c7bf60e7c2039b9db54da092ea292412546adcc378635e23f72b22cab8b53cf52aca07

  • SSDEEP

    6144:pttHH0SblELEPWvqUEUPpbKcsS2rOmXxl1JyB95LQHUAnbbO7MUy+iUcQykl3zg:HJT6LDqeK936ANJYqHp//UyBGjzg

Malware Config

Extracted

Family

warzonerat

C2

5.2.68.82:1198

Targets

    • Target

      9e81a9931fe17d6bfad93f3911e0173232a7c0152917f5982ccacd1fde452b77

    • Size

      457KB

    • MD5

      b02208089c3b213ddd70b428ba058bbe

    • SHA1

      c7f2c54cafc45ef509729e13daa327e454151238

    • SHA256

      9e81a9931fe17d6bfad93f3911e0173232a7c0152917f5982ccacd1fde452b77

    • SHA512

      d24c56b964690bbf608878d6f2ac53c8fa2613291d530e41681956ea30af620274bb56602df3d037837a13574efddc253f5831a299f8689dad27ad72189492fb

    • SSDEEP

      12288:tU4oDV9iCI43WAIp2FsyjMIOgy2Wx/zEhfkhqqgSQ:tUnjid43WAqmJNWx/AKw/

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks