General

  • Target

    3e4da5132877e955fb455e58e300b56033c07a6d2709b386fdc5c43a88e1c499

  • Size

    534KB

  • Sample

    240213-f5bz9age86

  • MD5

    16cd177899279d5d2d27443286ccc41b

  • SHA1

    91c1ee553aa8ac4cd24ef5800c6ac12da7becdee

  • SHA256

    3e4da5132877e955fb455e58e300b56033c07a6d2709b386fdc5c43a88e1c499

  • SHA512

    d1175ab4e807d9950f58b92663cf905413f6c73c5b5c3edf118ae9ae24455e20ed815169b6c279096fd0d7527784713300d66a4a77202b86b1a74c46d08b58c4

  • SSDEEP

    12288:NhxeQ5vzivb4wd+czsvcw0rciBgZzZzw288So7y:Nhxriz4wd+xclubszo

Malware Config

Extracted

Family

warzonerat

C2

makatti.duckdns.org:3787

Targets

    • Target

      3e4da5132877e955fb455e58e300b56033c07a6d2709b386fdc5c43a88e1c499

    • Size

      534KB

    • MD5

      16cd177899279d5d2d27443286ccc41b

    • SHA1

      91c1ee553aa8ac4cd24ef5800c6ac12da7becdee

    • SHA256

      3e4da5132877e955fb455e58e300b56033c07a6d2709b386fdc5c43a88e1c499

    • SHA512

      d1175ab4e807d9950f58b92663cf905413f6c73c5b5c3edf118ae9ae24455e20ed815169b6c279096fd0d7527784713300d66a4a77202b86b1a74c46d08b58c4

    • SSDEEP

      12288:NhxeQ5vzivb4wd+czsvcw0rciBgZzZzw288So7y:Nhxriz4wd+xclubszo

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks