General

  • Target

    Leintz PO-2023-04-03.exe

  • Size

    687KB

  • Sample

    230403-m4jr2aff8x

  • MD5

    e588266d7f1c8f4e397bae4cdcf2710d

  • SHA1

    5e1a9233b25485885a61bb2dc5f897cbf761250a

  • SHA256

    653acedbfd1cc43d370d69f63265a58ac180689929c376ffa72fa0d3410b4cca

  • SHA512

    5e209d2dd3c4777d531d4b34ca433655af9e15e64a268f93be58f2abc9c1cbae265ca016e4e01a8370697d837f7d5c765356f6531e2356410fe82c22c604bef7

  • SSDEEP

    12288:R5CBWKdq1FbwwJLwr5xhReyeAhyTk4oIiYDfXtsPWrrnBeKFN+8tV9oJ:CfrpNle0yQgDXtaWrLBeKFNRt8J

Malware Config

Extracted

Family

warzonerat

C2

84.38.133.217:5888

Targets

    • Target

      Leintz PO-2023-04-03.exe

    • Size

      687KB

    • MD5

      e588266d7f1c8f4e397bae4cdcf2710d

    • SHA1

      5e1a9233b25485885a61bb2dc5f897cbf761250a

    • SHA256

      653acedbfd1cc43d370d69f63265a58ac180689929c376ffa72fa0d3410b4cca

    • SHA512

      5e209d2dd3c4777d531d4b34ca433655af9e15e64a268f93be58f2abc9c1cbae265ca016e4e01a8370697d837f7d5c765356f6531e2356410fe82c22c604bef7

    • SSDEEP

      12288:R5CBWKdq1FbwwJLwr5xhReyeAhyTk4oIiYDfXtsPWrrnBeKFN+8tV9oJ:CfrpNle0yQgDXtaWrLBeKFNRt8J

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks