General

  • Target

    9e4b8dd5015ff503c145d5d110c0899c.exe

  • Size

    717KB

  • Sample

    230326-1t3ztaab69

  • MD5

    9e4b8dd5015ff503c145d5d110c0899c

  • SHA1

    fc17f01106a589943ea2937de4dbd68f5de50cb1

  • SHA256

    abb0a038d3f1c7c5ea61cdd46e797e1862e5f70d1382d58d59e5404b705bca08

  • SHA512

    a3eac22d9935f8d9d421ecd68648eeeaa08a97ed9ec904a851a271dd0fdc0bd236a4b58823f6d7c4c9e7d4ce721678ee2bca60e223406da450d3af5b51b4d2fc

  • SSDEEP

    12288:dIteEGAFDh24NS8Y7GrRybCC4h2M6lavptrnpoZa+fuFtUN4Hhzsc:BIY7GrRy74h8avbrUa+ItPic

Malware Config

Extracted

Family

warzonerat

C2

84.38.133.19:5200

Targets

    • Target

      9e4b8dd5015ff503c145d5d110c0899c.exe

    • Size

      717KB

    • MD5

      9e4b8dd5015ff503c145d5d110c0899c

    • SHA1

      fc17f01106a589943ea2937de4dbd68f5de50cb1

    • SHA256

      abb0a038d3f1c7c5ea61cdd46e797e1862e5f70d1382d58d59e5404b705bca08

    • SHA512

      a3eac22d9935f8d9d421ecd68648eeeaa08a97ed9ec904a851a271dd0fdc0bd236a4b58823f6d7c4c9e7d4ce721678ee2bca60e223406da450d3af5b51b4d2fc

    • SSDEEP

      12288:dIteEGAFDh24NS8Y7GrRybCC4h2M6lavptrnpoZa+fuFtUN4Hhzsc:BIY7GrRy74h8avbrUa+ItPic

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks