General

  • Target

    5c72a278eea4555f1ce1035ea71fe05c.bin

  • Size

    497KB

  • Sample

    230401-btnsfsgd3z

  • MD5

    e012fe35b4549ec0684ee1a8f9c09871

  • SHA1

    39bd3e4cab7fcfecb3d2fb39cb772f1e6dea6079

  • SHA256

    d8e2e07e54f87f526a35435de4b80b4b6fc5caa59d3499c4f1f01432e3fe6c5d

  • SHA512

    7ebccda058897e5e7c60d21ebfa6a0a8d9fa023644813fd40a32aa87f0d5df3003f8e1e9530779c085ea888671514db084935efb10791f23fe56b328c2a6f5a5

  • SSDEEP

    12288:saOmCxpAYUphC1CoqgQ1MLCPNgVRvdILQdnhYhTmEawi:sLm3YUC1CoqgQ1FPNiRuLInhqTmBwi

Malware Config

Extracted

Family

warzonerat

C2

104.223.19.96:80

Targets

    • Target

      9d23ef1df51ca5f49d86bf9790e32a441525dadd86c3435658e51a012c51e3af.exe

    • Size

      666KB

    • MD5

      5c72a278eea4555f1ce1035ea71fe05c

    • SHA1

      dc54d9061b86771a60bfc0225e462fe620a2647a

    • SHA256

      9d23ef1df51ca5f49d86bf9790e32a441525dadd86c3435658e51a012c51e3af

    • SHA512

      453a70fb1d40d561ac578fed149defebdc3cbb21cf01dfa61365dbf88a032b073e655bb18f1a5c32f51413beffbba654cc5892b67877b6d0f65493cd54d87bad

    • SSDEEP

      12288:X7n2ziKbtL8X4dRqwFtr3cCZ5yS9Tx+pMhp1YVj9J9LJNbimOMt+:TlX4dXt7csySbNhpUT9LJNbimX

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks