General

  • Target

    16569830230.zip

  • Size

    103.1MB

  • Sample

    240412-bssp1sbb53

  • MD5

    00959cbf5b11cb825b6cb074d9dc6327

  • SHA1

    1732054e14929b874ee0e7ea86ed411f87e58504

  • SHA256

    40c5ac0fe49c8df1fcd334c72c4a8f75cc96a0a93e84f569cfb88589ef2b8134

  • SHA512

    8e143fd7dd89dd2e1384ceec524b02c753d58d055cdf8849e79b786a1149834877949fc5cb29ec1418d2c8ad886fc79f19c07ff8abf9d6abd2824f1aaf087b42

  • SSDEEP

    3145728:qyehDLbdHZ2PqW8tdoefxOADd6PClRYyeCe:qyghhFfVDmUUd

Malware Config

Extracted

Family

warzonerat

C2

l34d3r.duckdns.org:4047

Targets

    • Target

      INVOICE_LA_PDF.LNK.exe

    • Size

      39KB

    • MD5

      f1b14f71252de9ac763dbfbfbfc8c2dc

    • SHA1

      dcc2dcb26c1649887f1d5ae557a000b5fe34bb98

    • SHA256

      796ea1d27ed5825e300c3c9505a87b2445886623235f3e41258de90ba1604cd5

    • SHA512

      636a32fb8a88a542783aa57fe047b6bca47b2bd23b41b3902671c4e9036c6dbb97576be27fd2395a988653e6b63714277873e077519b4a06cdc5f63d3c4224e0

    • SSDEEP

      768:YRQnUhG5bZDOTpkdD82YbQkRFokFWIILPUh:FWObZDOTpk5T6zqAh

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      Tier1.pdof

    • Size

      102.1MB

    • MD5

      db0521bd7e4b9fc803f9a900212eea02

    • SHA1

      6c86b49b4c1e3ebcecd5376166bfe3bda6a141fa

    • SHA256

      e95ce4146e3ffe7d5fde36340c01889f7634d6f91b92fbae1606bef9cb4a7cfb

    • SHA512

      22d219dac43bd3200e666ef7e554584b0fd43c57c0a6dd7888dc80f71a9b5e73ba48400607205a4f1680af0ccaa197fdb1add05fc7f698e9246fe00a6a49080f

    • SSDEEP

      3145728:96lH+byk0ZggBznCh2HCea5bQ92NmDVr9XqnZGWpg:M

    Score
    1/10
    • Target

      g2m.dll

    • Size

      14.7MB

    • MD5

      e74edf0e25243707b521025e35581273

    • SHA1

      61037e709b30fab28f52de0d6489f3f3433c7146

    • SHA256

      3d7c57fd5e035b159d4f1460989924756a725db772787cf8ad67d543c510fe54

    • SHA512

      8393134d5cf9512011ef6d309918810db7242605696ca6485d6c5054871ddec7bf243b52f0994e1484254818cc012b99c87eb0810fc46c0c0e9e8ca9d7d1faed

    • SSDEEP

      196608:10ivGTAslgbSYBsnBho/wnBvq+4rMOblxz6qYFS1qY2aubxi58/EUxFFVsqEY:1zvfaEog+4rdbUTFVdEY

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks