General

  • Target

    a30c028b3b9adef48e823339bf1f8d37131612b2e18a8e154e941e968e348569

  • Size

    1.0MB

  • Sample

    240226-1kv8lshc51

  • MD5

    81a64ccbbef9671558f38d8ef1538e39

  • SHA1

    c0c7571c367eac71ad1121f56fbce4763ce22448

  • SHA256

    a30c028b3b9adef48e823339bf1f8d37131612b2e18a8e154e941e968e348569

  • SHA512

    9858d0e46311ca6cfbbc66a046d8d9c2f3970640e7d4cdfd31c1d3c2260871415457c2982816f331ec7faa2ed161ae8215940f57f49449b414c0d0fe3b97992b

  • SSDEEP

    12288:bocruvY5lZG8Z1CgOsS8DW8V1JmBgS43KCZE5ZFgJAzClLKTgulyAKp:boYuv8lZLOsZDvXJEgSGU0ulWp

Malware Config

Extracted

Family

warzonerat

C2

godblessking.ddns.net:1991

Targets

    • Target

      a30c028b3b9adef48e823339bf1f8d37131612b2e18a8e154e941e968e348569

    • Size

      1.0MB

    • MD5

      81a64ccbbef9671558f38d8ef1538e39

    • SHA1

      c0c7571c367eac71ad1121f56fbce4763ce22448

    • SHA256

      a30c028b3b9adef48e823339bf1f8d37131612b2e18a8e154e941e968e348569

    • SHA512

      9858d0e46311ca6cfbbc66a046d8d9c2f3970640e7d4cdfd31c1d3c2260871415457c2982816f331ec7faa2ed161ae8215940f57f49449b414c0d0fe3b97992b

    • SSDEEP

      12288:bocruvY5lZG8Z1CgOsS8DW8V1JmBgS43KCZE5ZFgJAzClLKTgulyAKp:boYuv8lZLOsZDvXJEgSGU0ulWp

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables containing artifacts associated with disabling Widnows Defender

    • Detects executables containing bas64 encoded gzip files

    • Detects executables embedding command execution via IExecuteCommand COM object

    • Detects executables potentially checking for WinJail sandbox window

    • Warzone RAT payload

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks