Overview

overview

10

Static

static

1

Need Price...3.xlsx

windows7-x64

10

Need Price...3.xlsx

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Need Price No.34 10-03-2023.xlsx

  • Size

    1.0MB

  • Sample

    230310-qsynlaff3y

  • MD5

    afd2e15a47dc9394c96f5e83078ea288

  • SHA1

    b17977343c32004cc7e2f692fd04ee0ec3bea0b5

  • SHA256

    c1158a1df03d75859f08f5e9f8909ea8bf5c63a6dbc78485d543dfa461cfe478

  • SHA512

    04fe7fc6491f67a7aa52bfd1a9a47861ea555c3a68b5bf75b79727126cb8b9ff6b33d1dfff7797ff60cd4cf35f596f376348b053da230f44e62f2640be7ea1a9

  • SSDEEP

    24576:9bvFPyNd0ViftpBbbnKpm7BYYnhyovhkfbXk/jj2HB:bPyNqif7VnK5Aysh8XmjKh

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

konkation.duckdns.org:6548

Targets

    • Target

      Need Price No.34 10-03-2023.xlsx

    • Size

      1.0MB

    • MD5

      afd2e15a47dc9394c96f5e83078ea288

    • SHA1

      b17977343c32004cc7e2f692fd04ee0ec3bea0b5

    • SHA256

      c1158a1df03d75859f08f5e9f8909ea8bf5c63a6dbc78485d543dfa461cfe478

    • SHA512

      04fe7fc6491f67a7aa52bfd1a9a47861ea555c3a68b5bf75b79727126cb8b9ff6b33d1dfff7797ff60cd4cf35f596f376348b053da230f44e62f2640be7ea1a9

    • SSDEEP

      24576:9bvFPyNd0ViftpBbbnKpm7BYYnhyovhkfbXk/jj2HB:bPyNqif7VnK5Aysh8XmjKh

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

3
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks