General

  • Target

    order of quotationpdf.exe

  • Size

    5.2MB

  • Sample

    230404-mxtcwsed34

  • MD5

    3a222ba5c055f7e201ae3a121fe9db9a

  • SHA1

    2d48a7a17e8923c26772554a74283f42b9627074

  • SHA256

    0707a593ad8753e14a7b1dba97a1889f039312faded9165d76920a6c25bc8388

  • SHA512

    f5098d4a28624228af1902686bb805d14cf79a6ce186ee25d084e66cc9d13be8b89e3fcca391c1b2c403389144853c9bb1e995217df11ab56a9a60841211fa06

  • SSDEEP

    49152:UIoUnxXdZosToeyp2++zNccaBD19HY5VizkTuQCAlwHyTGhZMk:nnxos0pbB/

Malware Config

Extracted

Family

warzonerat

C2

193.47.61.26:5200

Targets

    • Target

      order of quotationpdf.exe

    • Size

      5.2MB

    • MD5

      3a222ba5c055f7e201ae3a121fe9db9a

    • SHA1

      2d48a7a17e8923c26772554a74283f42b9627074

    • SHA256

      0707a593ad8753e14a7b1dba97a1889f039312faded9165d76920a6c25bc8388

    • SHA512

      f5098d4a28624228af1902686bb805d14cf79a6ce186ee25d084e66cc9d13be8b89e3fcca391c1b2c403389144853c9bb1e995217df11ab56a9a60841211fa06

    • SSDEEP

      49152:UIoUnxXdZosToeyp2++zNccaBD19HY5VizkTuQCAlwHyTGhZMk:nnxos0pbB/

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks