Overview

overview

10

Static

static

3

PURCHASE ORDER.exe

windows7-x64

10

PURCHASE ORDER.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PURCHASE ORDER.xls.z

  • Size

    236KB

  • Sample

    230808-xcdrtafb99

  • MD5

    333aac40f8c35335fd4fe2eb24a7dad4

  • SHA1

    4f91fc489be8064901c4b36849272c82deddada0

  • SHA256

    b73e195266df81de789d37b4659da0467f9cdae883642341b45722a931b47620

  • SHA512

    e474bb2af74cd63181d50a86b2d1f075d72c99ac1a3989c7e8fb6113ca0b1a75c3f00635cbbab6b7824c3b9f39bac51998a4018046e05869baf049bad432f315

  • SSDEEP

    6144:vSAD1oBKUUEFCZjtWoLYF+0sllRIjwHnBzOIhcR5hp:PuOqoLYqRCengIi

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

103.212.81.157:5167

Targets

    • Target

      PURCHASE ORDER.exe

    • Size

      678KB

    • MD5

      a2fe6a19174c433e304629876ae3e83e

    • SHA1

      7fdfd511b37459a131acba5fd4cfaeac2596bb00

    • SHA256

      4aed7e79799b99831a8e43da5e4ead88792f7852560cfe80aab8fc3663aa0c14

    • SHA512

      a3f6cfa1255b06fafd6e0b43d3d4be92fccd5cc9786e4b838eb0c9926e19c356536a2406a0ca935181c882d8d14016df5552d5d91ba9a29b4b93c47934a9c31e

    • SSDEEP

      6144:WYa6wA+J7XPJnad1zbOJY5uW8lhpx0o36:WYyAQ7fJnynOhA

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT payload

      rat

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks