General

  • Target

    Company Profile.exe

  • Size

    952KB

  • Sample

    230403-3r92fsde6x

  • MD5

    3ab24aa99a56dc74f96fb324a8223a21

  • SHA1

    a65704be67f79bbcdd2f6c991ea60733273bc0b2

  • SHA256

    b65180d1894153d56a13fdc5148d9aadb1e68f086ad4b97e8e4a1df2217aeb7d

  • SHA512

    4b25d0744979951d55f3a4a929cd392994da55c271942310b131e1d0e90e2b70097eabcf1df30f05a363f6f7e6530d18ec77deca52a82345fc728d373c43bc0f

  • SSDEEP

    6144:wXLHjcMVlqPGlVjPnBemyAjOYSfocnCzmcIBZVyF:wbHo1qjPkmlefdnrcKq

Malware Config

Extracted

Family

warzonerat

C2

46.183.222.62:5353

Targets

    • Target

      Company Profile.exe

    • Size

      952KB

    • MD5

      3ab24aa99a56dc74f96fb324a8223a21

    • SHA1

      a65704be67f79bbcdd2f6c991ea60733273bc0b2

    • SHA256

      b65180d1894153d56a13fdc5148d9aadb1e68f086ad4b97e8e4a1df2217aeb7d

    • SHA512

      4b25d0744979951d55f3a4a929cd392994da55c271942310b131e1d0e90e2b70097eabcf1df30f05a363f6f7e6530d18ec77deca52a82345fc728d373c43bc0f

    • SSDEEP

      6144:wXLHjcMVlqPGlVjPnBemyAjOYSfocnCzmcIBZVyF:wbHo1qjPkmlefdnrcKq

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Modifies Windows Firewall

    • Sets DLL path for service in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Modifies WinLogon

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks