General

  • Target

    a1805c0d9f859351a93a34dcce491579

  • Size

    255KB

  • Sample

    240224-lbxyhsff52

  • MD5

    a1805c0d9f859351a93a34dcce491579

  • SHA1

    edf4dc30905cd257391913cc3bb9d1fbfcba8eb5

  • SHA256

    efd79f15e2745fd167c1f507241d83bf0052026c29252a06d6dafa2f004c3fbd

  • SHA512

    2fdb90903c5d3c1853ae89dc739afeedc84e0ff1d6f980357fdfcbf29ef6ea78c22cf261dc7ac45cb9e8e76653029d982dd5bc34b04631c68c256b5d6478de2d

  • SSDEEP

    6144:JRu66bNPQm1N4WhtGPWebgT3qxjj4Ua2+1EruWB0i4H:X6NJoWebeq58bQ

Malware Config

Extracted

Family

warzonerat

C2

nan.ydns.eu:5200

Targets

    • Target

      a1805c0d9f859351a93a34dcce491579

    • Size

      255KB

    • MD5

      a1805c0d9f859351a93a34dcce491579

    • SHA1

      edf4dc30905cd257391913cc3bb9d1fbfcba8eb5

    • SHA256

      efd79f15e2745fd167c1f507241d83bf0052026c29252a06d6dafa2f004c3fbd

    • SHA512

      2fdb90903c5d3c1853ae89dc739afeedc84e0ff1d6f980357fdfcbf29ef6ea78c22cf261dc7ac45cb9e8e76653029d982dd5bc34b04631c68c256b5d6478de2d

    • SSDEEP

      6144:JRu66bNPQm1N4WhtGPWebgT3qxjj4Ua2+1EruWB0i4H:X6NJoWebeq58bQ

    • Detects BazaLoader malware

      BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks