General

  • Target

    a0892d0ee09eb36fba025875b72142fc

  • Size

    1010KB

  • Sample

    240223-2qx5tsbf41

  • MD5

    a0892d0ee09eb36fba025875b72142fc

  • SHA1

    5cd68df1915e072f4283410a0ca102c4f8bf3337

  • SHA256

    e792f30b9a672d0542bb3c9983023938066ef1b2c40a3d01a73f15eeae5a87d6

  • SHA512

    137700a35f6c555a055ac20f1c3b2f794567be89e4e0332298fa7048b77579b37f6ba948d9031ec100e70016d99b5e335ef251dbde9855c14c07df8e9674b509

  • SSDEEP

    24576:8AOcZ6JC1gm0fCr2hxwHr6c14BNb3oFQYcEnVGUTB:qVm0KrMKHr6+ozo6In

Malware Config

Extracted

Family

warzonerat

C2

45.162.228.171:26112

Targets

    • Target

      a0892d0ee09eb36fba025875b72142fc

    • Size

      1010KB

    • MD5

      a0892d0ee09eb36fba025875b72142fc

    • SHA1

      5cd68df1915e072f4283410a0ca102c4f8bf3337

    • SHA256

      e792f30b9a672d0542bb3c9983023938066ef1b2c40a3d01a73f15eeae5a87d6

    • SHA512

      137700a35f6c555a055ac20f1c3b2f794567be89e4e0332298fa7048b77579b37f6ba948d9031ec100e70016d99b5e335ef251dbde9855c14c07df8e9674b509

    • SSDEEP

      24576:8AOcZ6JC1gm0fCr2hxwHr6c14BNb3oFQYcEnVGUTB:qVm0KrMKHr6+ozo6In

    • Detects BazaLoader malware

      BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks