Overview

overview

10

Static

static

6

1099Misc.pdf

windows7-x64

1

1099Misc.pdf

windows10-2004-x64

1

Tax_Documents_PDF.exe

windows7-x64

10

Tax_Documents_PDF.exe

windows10-2004-x64

10

msimg32.dll

windows7-x64

10

msimg32.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Tax_Documents_PDF.zip

  • Size

    115.7MB

  • Sample

    240524-kk55tabe2x

  • MD5

    41a9c203b9369a06ff7da0f21aa90f58

  • SHA1

    3c4561405c2453935d49aa641173d4b94ccc809c

  • SHA256

    a681247f97012f94a32e9b78f799802ace3cb3c4706c4cca1f52afee037f7710

  • SHA512

    6c4999b8a39501e0cbea06cce4e863ed51119b5a94b34b56b9e3b0827f0400d2bc41a6b0e4a4783ec50f6f62e0fa6c32611b8e2399bf155cd50fbe9927a9fb72

  • SSDEEP

    3145728:Q3HdM43C3oYCqqAdLnV49lBTZITHAgKQtLGxzAfvDGOHaY1Ebs5cg6CKhmZhYHU:45i/IbicUFqHU

Score
10/10
warzoneratevasioninfostealerpdfpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

5.253.84.218:6500

Targets

    • Target

      1099Misc.inf

    • Size

      220.0MB

    • MD5

      65062141a5aa00068b12b74a85d67b41

    • SHA1

      5ba2d2c53978b4de3a123d79fa3ed60e93d86a48

    • SHA256

      133be53c484a7d2f18f7919a393b60f4276f7900417bcd7bfecdbe977e750fb4

    • SHA512

      d9bdde0c7293acbdf4410b454cfd9a1ed6d645b69a108d88292cc3008d42909934d269d03c94d06e4868b1b2d0c6b0a260a3dfaacca9338e227452c307998231

    • SSDEEP

      3145728:96lH+byk0ZggBznCh2HCea5bQ92NmDVr9XqnZGWp:

    Score
    1/10
    behavioral1behavioral2

    • Target

      Tax_Documents_PDF.exe

    • Size

      6.1MB

    • MD5

      4864a55cff27f686023456a22371e790

    • SHA1

      6ed30c0371fe167d38411bfa6d720fcdcacc4f4c

    • SHA256

      08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2

    • SHA512

      4bd3a16435cca6ce7a7aa829eb967619a8b7c02598474e634442cffc55935870d54d844a04496bf9c7e8c29c40fae59ac6eb39c8550c091d06a28211491d0bfb

    • SSDEEP

      98304:VZQIM+/nv/CDoAkYwpAa5ge1zZ/jtdZwUkQ:bJCKlA2VKUz

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT payload

      rat

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral3behavioral4

    • Target

      msimg32.dll

    • Size

      44.7MB

    • MD5

      37ba2c97ca9a8503e796a726f23ebe6e

    • SHA1

      3fd8be11bf7b6e951646d794802849e3af902a2b

    • SHA256

      0bfb5c9035c5bccea26456a7a873e7f682055c5621a3c2ada16f7db9e4b49a39

    • SHA512

      fb55a58099050b6c0062d8d5aeae5deefcadfe34ff2ed9046c17a390380af94f44d67025ddaad3b2e6aef5cbf4f795ed4a65749fc141dddc750531ed7abffa86

    • SSDEEP

      786432:ieUP7GCGO7t0Srkx/tC0SzIdSwh/WxbpNHQD3trzRpw:XUP7GCG6iSrkx1hSzYsHQD3t/Rq

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT payload

      rat

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks