General

  • Target

    QUOTATION_ MAR 300377FIBA00541_PDF.scr

  • Size

    1.9MB

  • Sample

    230403-mdvfvaea87

  • MD5

    0d472e5124d01d8370e53ac3e3755eee

  • SHA1

    8e121b294da073a8f728ae141db7a98eba8d2ba4

  • SHA256

    d4b826238b85f99b00a92e02e06a8373f0f132bf1b6f4a64c09deb0aeb1ccf66

  • SHA512

    8320577e5f00caa865f5eba68f53ebfb3b51b2d6da3a7c5a8a75ee24c8cad78f3b84626dfc1e72151b1615e44764a8801b80cce1cce1d7a131a5f2685e0dcadc

  • SSDEEP

    24576:7Wld/vZGKtu1Dze6HDpLJKvEcYJLn21inkWxQMvlhfZKFfpGsQLUKorLX9uRMnyR:7PKYxupGEuPtI6c

Malware Config

Extracted

Family

warzonerat

C2

46.183.216.163:24626

Targets

    • Target

      QUOTATION_ MAR 300377FIBA00541_PDF.scr

    • Size

      1.9MB

    • MD5

      0d472e5124d01d8370e53ac3e3755eee

    • SHA1

      8e121b294da073a8f728ae141db7a98eba8d2ba4

    • SHA256

      d4b826238b85f99b00a92e02e06a8373f0f132bf1b6f4a64c09deb0aeb1ccf66

    • SHA512

      8320577e5f00caa865f5eba68f53ebfb3b51b2d6da3a7c5a8a75ee24c8cad78f3b84626dfc1e72151b1615e44764a8801b80cce1cce1d7a131a5f2685e0dcadc

    • SSDEEP

      24576:7Wld/vZGKtu1Dze6HDpLJKvEcYJLn21inkWxQMvlhfZKFfpGsQLUKorLX9uRMnyR:7PKYxupGEuPtI6c

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks