General

  • Target

    c90ceb7aa59148b1da8a27b97c51b557d24f7cb84d344a1820abc70fb43e0e20.exe

  • Size

    468KB

  • Sample

    240523-cggdaahg4v

  • MD5

    b1555e040ed35043ee177401d1f2c4c2

  • SHA1

    b393093f0c93b8209ba42929c8099bee099c1fb6

  • SHA256

    c90ceb7aa59148b1da8a27b97c51b557d24f7cb84d344a1820abc70fb43e0e20

  • SHA512

    77cfce8d39219f2f93bbc495a69b73cb0656b32f27de392e0b91ac47cb5d028defabd6e8d4e3e8849500e13b30a59931428199b49e0d2393d5529929518742ea

  • SSDEEP

    12288:5M2y21Low+fOwXEBfBsguZ0iYvdl0pBiOMGoht:YWoXfOwXEBruZ0vUyBzb

Malware Config

Extracted

Family

warzonerat

C2

newbroobi.duckdns.org:77

Targets

    • Target

      c90ceb7aa59148b1da8a27b97c51b557d24f7cb84d344a1820abc70fb43e0e20.exe

    • Size

      468KB

    • MD5

      b1555e040ed35043ee177401d1f2c4c2

    • SHA1

      b393093f0c93b8209ba42929c8099bee099c1fb6

    • SHA256

      c90ceb7aa59148b1da8a27b97c51b557d24f7cb84d344a1820abc70fb43e0e20

    • SHA512

      77cfce8d39219f2f93bbc495a69b73cb0656b32f27de392e0b91ac47cb5d028defabd6e8d4e3e8849500e13b30a59931428199b49e0d2393d5529929518742ea

    • SSDEEP

      12288:5M2y21Low+fOwXEBfBsguZ0iYvdl0pBiOMGoht:YWoXfOwXEBruZ0vUyBzb

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables embedding command execution via IExecuteCommand COM object

    • Warzone RAT payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      ac0f93b2dec82e9579bff14c8572a6c8

    • SHA1

      6460244317cbb77e342adb3561ec3acb496c84d5

    • SHA256

      3aa8e0abadefea2de58281198acfe48713a1d5b43aea5619f563cea098e9fd34

    • SHA512

      8055a6af150c45547927499f9cbf645d7f39c8e4f9caff4726fd711d2401abca01a79837095e5752b9f57b06446973ea6506796f2223bdb0179243d6e0575bd2

    • SSDEEP

      96:5OBtEB2flLkatAthPZJoi9jpfW/er6cBbcB/NFyVOHd0+u3wEX:5hB2flXAVJtjf6cBbcB/N8Ved0PJ

    Score
    3/10

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks