General

  • Target

    neue bestellung.PDF.exe

  • Size

    652KB

  • Sample

    210223-7jqe4mrmya

  • MD5

    a0b16d3a4ce67631e8681b3d3069772c

  • SHA1

    28f64d87e10a9d5f4fe4c508f431b0b0e6ca9103

  • SHA256

    6131d15e138a07ea92924656ba389ef9ad1001ec1ca144be9e7f335b46b1ae9f

  • SHA512

    8c3134360a12e0154cc789cb363ec8ac287ca3066c85366c633a998a4ec349e6daf8e8134459eeb9b19c4fdc13135fb032957f2dfa010bd71061d8f048cd0ebe

Malware Config

Extracted

Family

warzonerat

C2

194.5.97.48:3141

Targets

    • Target

      neue bestellung.PDF.exe

    • Size

      652KB

    • MD5

      a0b16d3a4ce67631e8681b3d3069772c

    • SHA1

      28f64d87e10a9d5f4fe4c508f431b0b0e6ca9103

    • SHA256

      6131d15e138a07ea92924656ba389ef9ad1001ec1ca144be9e7f335b46b1ae9f

    • SHA512

      8c3134360a12e0154cc789cb363ec8ac287ca3066c85366c633a998a4ec349e6daf8e8134459eeb9b19c4fdc13135fb032957f2dfa010bd71061d8f048cd0ebe

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks