Overview

overview

10

Static

static

3

c90ceb7aa5...20.exe

windows7-x64

8

c90ceb7aa5...20.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c90ceb7aa59148b1da8a27b97c51b557d24f7cb84d344a1820abc70fb43e0e20.exe

  • Size

    468KB

  • Sample

    240523-cggdaahg4v

  • MD5

    b1555e040ed35043ee177401d1f2c4c2

  • SHA1

    b393093f0c93b8209ba42929c8099bee099c1fb6

  • SHA256

    c90ceb7aa59148b1da8a27b97c51b557d24f7cb84d344a1820abc70fb43e0e20

  • SHA512

    77cfce8d39219f2f93bbc495a69b73cb0656b32f27de392e0b91ac47cb5d028defabd6e8d4e3e8849500e13b30a59931428199b49e0d2393d5529929518742ea

  • SSDEEP

    12288:5M2y21Low+fOwXEBfBsguZ0iYvdl0pBiOMGoht:YWoXfOwXEBruZ0vUyBzb

Score
10/10
warzoneratcollectionexecutioninfostealerratspywarestealer

Malware Config

Extracted

Family

warzonerat

C2

newbroobi.duckdns.org:77

Targets

    • Target

      c90ceb7aa59148b1da8a27b97c51b557d24f7cb84d344a1820abc70fb43e0e20.exe

    • Size

      468KB

    • MD5

      b1555e040ed35043ee177401d1f2c4c2

    • SHA1

      b393093f0c93b8209ba42929c8099bee099c1fb6

    • SHA256

      c90ceb7aa59148b1da8a27b97c51b557d24f7cb84d344a1820abc70fb43e0e20

    • SHA512

      77cfce8d39219f2f93bbc495a69b73cb0656b32f27de392e0b91ac47cb5d028defabd6e8d4e3e8849500e13b30a59931428199b49e0d2393d5529929518742ea

    • SSDEEP

      12288:5M2y21Low+fOwXEBfBsguZ0iYvdl0pBiOMGoht:YWoXfOwXEBruZ0vUyBzb

    Score
    10/10
    executionwarzoneratcollectioninfostealerratspywarestealer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables embedding command execution via IExecuteCommand COM object

    • Warzone RAT payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      ac0f93b2dec82e9579bff14c8572a6c8

    • SHA1

      6460244317cbb77e342adb3561ec3acb496c84d5

    • SHA256

      3aa8e0abadefea2de58281198acfe48713a1d5b43aea5619f563cea098e9fd34

    • SHA512

      8055a6af150c45547927499f9cbf645d7f39c8e4f9caff4726fd711d2401abca01a79837095e5752b9f57b06446973ea6506796f2223bdb0179243d6e0575bd2

    • SSDEEP

      96:5OBtEB2flLkatAthPZJoi9jpfW/er6cBbcB/NFyVOHd0+u3wEX:5hB2flXAVJtjf6cBbcB/N8Ved0PJ

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks