General

  • Target

    ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.zip

  • Size

    164KB

  • Sample

    230327-pdgabsdd28

  • MD5

    555afb68e00be6d85a705c0e0d520c5e

  • SHA1

    40d7dc5e13c18c67bbba04eb921444d833d37be3

  • SHA256

    e990dd506564894065bf5ca3643bcf9c57f0de16611e7f2858849b9daf973774

  • SHA512

    71eb4d21aa281284e598fa934e60cadc540766a833970ee5a1a2751316b97cdb87db8430ca42445eb96b3078240fca50edbe527d68ad77a053973268373efc46

  • SSDEEP

    3072:2+UNd2fU0eaig4ynrdePnOl4ls1j3sg/XNMfHWbIRop83QRrX:Yd2fUBbgBnrYfm4ls1AOM/WIoEQ1X

Malware Config

Extracted

Family

warzonerat

C2

46.183.222.62:5353

Targets

    • Target

      ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b.exe

    • Size

      193KB

    • MD5

      53622e61772d39cd6868b89aaabb8249

    • SHA1

      97d7be3cbfc038c741d0a0ba0404c147eb2d9b1b

    • SHA256

      ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b

    • SHA512

      1e254e3913f2bcd985d96123e8e2f08271f9f1e081a5c39d14afcfc6a1513c76139f980bd25d575845ca85ab2e14881042524a52314321f398558cdb30583d95

    • SSDEEP

      6144:QkdnyRSXGwbtZt2hP4hY9eII6cuH58KCNRJynB:Q3SXt5E4hoeEdmV+

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks