General
-
Target
03659a9fd22217ea8800ea48491743c9ce012fbc48a440dc86857efee9f03b6d
-
Size
532KB
-
Sample
240911-e8m19ashlq
-
MD5
0b2f1d4b8d9a717d83cabf58d3a7ab38
-
SHA1
b87b186341177def0f05d699616f336e7fc13906
-
SHA256
03659a9fd22217ea8800ea48491743c9ce012fbc48a440dc86857efee9f03b6d
-
SHA512
597329dceebdf4b0a8099a9215abbf22b352cf05abb72b52ddd8cfa91dd9055fbf952d242d7b40c0c04ddbf05c9ace72b1709515591fb8eda1125765198ec299
-
SSDEEP
12288:76aBcKKuxuLWhhG5FJI6HQFxC8JV9tBnaPbYJfzoOa:zcUTK5nbQ7CybyYJi
Malware Config
Extracted
warzonerat
giftmask.freeddns.org:31098
Targets
-
-
Target
Nordsee 3 Offshore Energy Project _Firm RFQ_KE-24826.scr
-
Size
574KB
-
MD5
a89c88d7302e701a317b026d019913c5
-
SHA1
557ee76c8bd1b081047de189853699c904bfc0a8
-
SHA256
ea48def5335b8e664304ae54ff020858a1cb8a804d21f1c474c21e4ef2213073
-
SHA512
e9673ee11f43f69d65c3faa531a7b0d4ebd7a29b21bf224b78e7bcbc1bf96a124e568e43f218063c1d047fba1190eb89282e607be2c114a8f0f724d525f918f8
-
SSDEEP
12288:GT7kvDoQpLjKrXq4/ObtRmJE+/oqFxC4JV9ttnJBcDv3uy227akR:GTol2rXqRb/+Aq7C27fGb20
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Warzone RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1