General

  • Target

    tmp

  • Size

    371KB

  • Sample

    230402-htjbasfb44

  • MD5

    bddc4de227367c9c62d09664b29fc40b

  • SHA1

    618d7ac1e3f63762e5f8e24d48f84f35d46295c5

  • SHA256

    66d6fed53bcf671c54f9cb96fdd781a52a7cbef3c85f9d2942de89ccd4f49bf7

  • SHA512

    8761b08db5b26c2395a033f0f9dab0de3f3a52b0045f157a60b8e9053c899302d27c1d1ee00cb3807818a82831e6954f54c34c92b02fe6996aa2e801b2e69685

  • SSDEEP

    6144:FoeJqfPFq18M+8KUtVp8By6DfrA9weQ9uIHMGUqQ36DrKKaLQtbxpNu2BhLw8G+:aeEV0rtVqA6TrA6owQrQtbxfu61

Malware Config

Extracted

Family

warzonerat

C2

5.161.206.28:5200

Targets

    • Target

      tmp

    • Size

      371KB

    • MD5

      bddc4de227367c9c62d09664b29fc40b

    • SHA1

      618d7ac1e3f63762e5f8e24d48f84f35d46295c5

    • SHA256

      66d6fed53bcf671c54f9cb96fdd781a52a7cbef3c85f9d2942de89ccd4f49bf7

    • SHA512

      8761b08db5b26c2395a033f0f9dab0de3f3a52b0045f157a60b8e9053c899302d27c1d1ee00cb3807818a82831e6954f54c34c92b02fe6996aa2e801b2e69685

    • SSDEEP

      6144:FoeJqfPFq18M+8KUtVp8By6DfrA9weQ9uIHMGUqQ36DrKKaLQtbxpNu2BhLw8G+:aeEV0rtVqA6TrA6owQrQtbxfu61

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks