General

  • Target

    CompanyProfile.vbs

  • Size

    413KB

  • Sample

    240917-h4d5bs1bkd

  • MD5

    110831ca8aa326ecd1e0c364adc7062a

  • SHA1

    34c36ce57105514fa8a0db8ef82aec5db6bd7d34

  • SHA256

    a5bf9d0f1895c9eb988d0d946ccf5022f73b68005450414ddbfdb36a053e4fc0

  • SHA512

    bdd4fef931fd404f450e117b63fbbe47abc71953cee3d4e414643ec19e657ee3efd43df79b0a95fcc4254b5e4bea624b0dce5cb3839a038a20a9cfb86ffcfdf2

  • SSDEEP

    3072:1HGYwftYFGhNe4VTdRnTT8w4TWxHqQYDgbppvicsKS7pEXGRTLYJeP0rkNyt:NwftYFgHqQD

Malware Config

Extracted

Family

warzonerat

C2

109.248.151.156:2048

Targets

    • Target

      CompanyProfile.vbs

    • Size

      413KB

    • MD5

      110831ca8aa326ecd1e0c364adc7062a

    • SHA1

      34c36ce57105514fa8a0db8ef82aec5db6bd7d34

    • SHA256

      a5bf9d0f1895c9eb988d0d946ccf5022f73b68005450414ddbfdb36a053e4fc0

    • SHA512

      bdd4fef931fd404f450e117b63fbbe47abc71953cee3d4e414643ec19e657ee3efd43df79b0a95fcc4254b5e4bea624b0dce5cb3839a038a20a9cfb86ffcfdf2

    • SSDEEP

      3072:1HGYwftYFGhNe4VTdRnTT8w4TWxHqQYDgbppvicsKS7pEXGRTLYJeP0rkNyt:NwftYFgHqQD

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Warzone RAT payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks