General

  • Target

    Price List1.exe

  • Size

    662KB

  • Sample

    230331-r7mqbaag33

  • MD5

    464a6ec43ac1f064d3dfe307c7dfd921

  • SHA1

    468a543b51b6c797b668c8c442e451b1d9efe9d2

  • SHA256

    189d5e75f300e21f30ae87cef1c384a3e33e26b5546b8404090bffe3251d4a34

  • SHA512

    00e09724295dcf036ae1a70235b49cb37088b404edf61804cc31a8e2df8abcff058669620c82f679e00eec52f938c64b50eb618b361f3b82f174a333b5e77e20

  • SSDEEP

    12288:NxCqHrYCPCimOMt+EqjhOClSlWDClEPjRQ1HfWW:NxCqHrYLimXWvrs8RQ1H

Malware Config

Extracted

Family

warzonerat

C2

104.223.19.96:80

Targets

    • Target

      Price List1.exe

    • Size

      662KB

    • MD5

      464a6ec43ac1f064d3dfe307c7dfd921

    • SHA1

      468a543b51b6c797b668c8c442e451b1d9efe9d2

    • SHA256

      189d5e75f300e21f30ae87cef1c384a3e33e26b5546b8404090bffe3251d4a34

    • SHA512

      00e09724295dcf036ae1a70235b49cb37088b404edf61804cc31a8e2df8abcff058669620c82f679e00eec52f938c64b50eb618b361f3b82f174a333b5e77e20

    • SSDEEP

      12288:NxCqHrYCPCimOMt+EqjhOClSlWDClEPjRQ1HfWW:NxCqHrYLimXWvrs8RQ1H

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks