General

  • Target

    a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249

  • Size

    1.1MB

  • Sample

    240226-1mh13ahc9z

  • MD5

    5ccd86fc97c9a218f4d4deaf40474fe8

  • SHA1

    5ab5d8f5eedd6bec3c970ed1220c2d93ff9da802

  • SHA256

    a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249

  • SHA512

    355fa936bfcb1f3cf8192e6179dac7870fff098217d2a5f10a07cb4c3448644c6b7678d6ddb81af3b25b96308072f43c814433bb7689136fb7683e9220a99dce

  • SSDEEP

    24576:B389mI12NKtXeoGwtu16bTg98qVl7s1wxNvFUtTNiHZP6iv:B3EmI1CKl2wtAl9mwWtcyu

Malware Config

Extracted

Family

warzonerat

C2

146.70.76.43:43206

Targets

    • Target

      a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249

    • Size

      1.1MB

    • MD5

      5ccd86fc97c9a218f4d4deaf40474fe8

    • SHA1

      5ab5d8f5eedd6bec3c970ed1220c2d93ff9da802

    • SHA256

      a33967b25289fff0c0978686fa27ae823e3ac86684d52afb1a1ad1b732045249

    • SHA512

      355fa936bfcb1f3cf8192e6179dac7870fff098217d2a5f10a07cb4c3448644c6b7678d6ddb81af3b25b96308072f43c814433bb7689136fb7683e9220a99dce

    • SSDEEP

      24576:B389mI12NKtXeoGwtu16bTg98qVl7s1wxNvFUtTNiHZP6iv:B3EmI1CKl2wtAl9mwWtcyu

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables embedding command execution via IExecuteCommand COM object

    • Warzone RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks