Overview

overview

10

Static

static

3

PO-45658467.exe

windows7-x64

10

PO-45658467.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b84b9a63842c6e568d82e4cbf8a2df7b_JaffaCakes118

  • Size

    670KB

  • Sample

    240617-m9l5caxhrg

  • MD5

    b84b9a63842c6e568d82e4cbf8a2df7b

  • SHA1

    7c616240ed237f43af94e9e5b24fd051c051be5e

  • SHA256

    8787202b2bdc72567ca866f0398c2920de836163f76f8c245d71989999d3b1d7

  • SHA512

    0d579dc841e29fdf8f6036a8f4b750acbef8303244f033949b0a6dc6a719f14d47aca1249fef2dc4b34f80ad847813057eaaac8265d223051efeecf8356ef042

  • SSDEEP

    12288:cBHN5X1fHRJCL49nKGPSitGzXp7ud25AYimewlPlRaG3Pg+Idn5+sa9Takv6:2zrJCL4wGnQ75ud2phlPlRaG3I+Id5+E

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

xilogrid.info:6080

Targets

    • Target

      PO-45658467.exe

    • Size

      729KB

    • MD5

      19120c7a5b3a173b1e71a749d1f838f2

    • SHA1

      31b10a31a42a1c6537675beadd9cb67ac2ad7a47

    • SHA256

      8a69ef9bfb807a216e604cbf01b7b5d394057d0615e29bf44d6bd7ed1122714d

    • SHA512

      9bb75899fab3bdfccf2c59ebf2d94cd90209ea7bb5d766a3d33e574d4c8900e04cecfb16d7930d5cf024d908a42d08701ac7861db751adf55c6d58d252dd42e0

    • SSDEEP

      12288:wgYlw5n11fRJCvA97KGxSVt4rpkxnFzSWuN2JSB5+UyUDJ8X+am9jK:n3xJCvAIGqt4rpkxwzN2M5dF0+t9jK

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks