General

  • Target

    4b541ff698f1b6cb633140e65dcb6f5f.bin

  • Size

    550KB

  • Sample

    241021-zkqgpaxdlq

  • MD5

    e4fadcb958fd3deb716e63cbf51a2845

  • SHA1

    c0a526eca6fcc5fb0f79f3025465d49dfa103ec6

  • SHA256

    0e20d445741dbc0c671113b540f82726f9d7463154ac1acf3806c38a7fb39341

  • SHA512

    abf8e931f9bf85927dfff534d0068e22ae1799426e3d98c66272a74153bf9d51ab55a9aed477a06a9692c630a2cb7e96969fc07d35d254ee75d0e4000c0887d1

  • SSDEEP

    12288:PFXXJUCKF6E2mSUR5phuD1sWFUtklaTMByND99o9Y3bVE0M0rl7Z:pX/KF6E2mnphI1JcklB8X9o9Yxg0rv

Malware Config

Extracted

Family

warzonerat

C2

omc2015asm.ddns.net:5201

Targets

    • Target

      f5e1b30ec44e8c2a6e6a3c67bf7a5ecd7474c978668724eb49141608a3a60add.exe

    • Size

      784KB

    • MD5

      4b541ff698f1b6cb633140e65dcb6f5f

    • SHA1

      78a89671c275e0498f66393d2bf0c0d9ca84569e

    • SHA256

      f5e1b30ec44e8c2a6e6a3c67bf7a5ecd7474c978668724eb49141608a3a60add

    • SHA512

      3f12c2b92a990df809e689607fce5e9d3135fe467759bfa4ed1dccc0fb98df71cfca85db904fc185c17b697a2540b44bc55ad26214a662f5ae11b25ae0b70639

    • SSDEEP

      12288:Iwh6wEx2iNNFR9YJcR8bNvX+nXq2ow+Ubm1Dt4:Kwk1fFLakaNvX+swK

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks