Overview

overview

10

Static

static

1

nht-refund...exe

windows7-x64

10

nht-refund...exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    nht-refund...exe

  • Size

    579KB

  • Sample

    230320-cszzrsde4v

  • MD5

    6ca65058e490b038710bd1e2ac8cb457

  • SHA1

    c66ea296401994d1d352b2795b70dd38f7eb4f88

  • SHA256

    f5e9af8a842e3d0ab3b48e83151a43a1514ed4f8772da1819d27558b62901b3b

  • SHA512

    f3f473a6e7335b39cdd212ce287070e2f092cc550bd836ca66808b3483ef48c6152ad41a5f9a120c22c268af3960768b6fb7e03a8861bf444052c7cf1476229f

  • SSDEEP

    12288:sctmABdVLhcA9D/4BjCAYEKRkx/yX0chSSuPA:sqdpkBtqoaXLMS+

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

154.16.106.40:4441

Targets

    • Target

      nht-refund...exe

    • Size

      579KB

    • MD5

      6ca65058e490b038710bd1e2ac8cb457

    • SHA1

      c66ea296401994d1d352b2795b70dd38f7eb4f88

    • SHA256

      f5e9af8a842e3d0ab3b48e83151a43a1514ed4f8772da1819d27558b62901b3b

    • SHA512

      f3f473a6e7335b39cdd212ce287070e2f092cc550bd836ca66808b3483ef48c6152ad41a5f9a120c22c268af3960768b6fb7e03a8861bf444052c7cf1476229f

    • SSDEEP

      12288:sctmABdVLhcA9D/4BjCAYEKRkx/yX0chSSuPA:sqdpkBtqoaXLMS+

    Score
    10/10
    warzoneratinfostealerrat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks