Overview

overview

10

Static

static

1

ec0f998453...4.xlsx

windows7-x64

10

ec0f998453...4.xlsx

windows10-2004-x64

1

Sharing

Copy URL Twitter E-mail

General

  • Target

    2e5428a15a37026ad74f3bf13f15ce40.bin

  • Size

    893KB

  • Sample

    230506-bxj9fahf7z

  • MD5

    6122b47e274eb7ca41e95400bbf9718c

  • SHA1

    ddb65d563d32ec8b38e224c82053d07b8587e0b3

  • SHA256

    96328956ca74e4727130db3cc37cf87568427f3a596ff2eeb2b7bd5242d381db

  • SHA512

    e453fa8a1860f3496d93ea28e549a55305f46bc6bdd8e9c687dc42a68ad83dfb0e9061955dbc20e9aade320015845824091038f359a52c6e2dfaab69d50fd127

  • SSDEEP

    24576:EkwYDFms3orbF3C1ZZHdDrS2Ytrheyt+8EuJ9wxVz:/abAHdat3+kjwzz

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

jeron7.duckdns.org:2905

Targets

    • Target

      ec0f998453e3125596d9907d4e5fdfc367ddee82239fadc50a7c67ed1cad4c64.xlsx

    • Size

      896KB

    • MD5

      2e5428a15a37026ad74f3bf13f15ce40

    • SHA1

      f97238cfc6bf1c84ae8d69df7ca5461bb764460c

    • SHA256

      ec0f998453e3125596d9907d4e5fdfc367ddee82239fadc50a7c67ed1cad4c64

    • SHA512

      74d9d48a2dc06ce9cb302adb36fe009380272a6c47a3ac73d47f1eb23ddcaaf0dd5b3bd457fe0d2d60455c0b7c8bd97bdbf9f2ba38a04959b3b4ed1873257cb8

    • SSDEEP

      12288:70CxAvsDoysUIRudr2mFsBoI+MAgQCeAwcdpc3BnVmtflCXKaK8UAoiDAVth:wGhWUI8didBoI7MUETwAKapoPjh

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks