Overview

overview

10

Static

static

3

RFQ_SRC022...df.scr

windows7-x64

10

RFQ_SRC022...df.scr

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c14a2e80074e63cfcbc21b2d9da8edaf6549f436ac8060b32a88cdac6604e52c.zip

  • Size

    600KB

  • Sample

    250218-dv9gnawqat

  • MD5

    618a4352c89939bee1f9312cf378d5f3

  • SHA1

    79bc588c106a4a17c4ca89bf47a5e961380b5dd7

  • SHA256

    c14a2e80074e63cfcbc21b2d9da8edaf6549f436ac8060b32a88cdac6604e52c

  • SHA512

    0e4f1455e732a699da08a8cc5c36f05899b3298e796b6434aa7b4e6981c2124f3ccaddfa38ec0c6c878285a1b0105100c69b2f39582f46627f6c4e060576fc5e

  • SSDEEP

    12288:+BcsCQT818zNDNzZofzqL33oni2n/dXRZ++RbTHAP8O:NsCQT6yN9Zn334n1RZ++xHpO

Score
10/10
guloaderwarzoneratdiscoverydownloaderinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

196.251.90.63:29389

Targets

    • Target

      RFQ_SRC02252017-pdf.scr

    • Size

      724KB

    • MD5

      11f41ca243c031d073ca13d1aa0e9a29

    • SHA1

      ba4eb2a551a053f3f222ce0c5039e5b05cca880e

    • SHA256

      7a0f824a21b8f5d26bf8536e2f5958514b6975d54722418719c8e919734a3986

    • SHA512

      04cb6f3b2bd9ea3a512324741eae29f409a25d1bd1b4d12279c0260841301a1d9e67644df825df0c8f4b58781dc5814909baf49019a7af22696364ced9bc6939

    • SSDEEP

      12288:/lIbMYOj7pofFqL35onwWnfHX7Z+ORbHH2PQb:/9YOnpD35snP7Z+OhHhb

    Score
    10/10
    guloaderwarzoneratdiscoverydownloaderinfostealerpersistencerat

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzonerat family

      warzonerat

    • Warzone RAT payload

      rat

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      a436db0c473a087eb61ff5c53c34ba27

    • SHA1

      65ea67e424e75f5065132b539c8b2eda88aa0506

    • SHA256

      75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

    • SHA512

      908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

    • SSDEEP

      192:aVL7iZJX76BisO7+UZEw+Rl59pV8ghsVJ39dx8T:d7NsOpZsfLMJ39e

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks