Overview

overview

10

Static

static

3

RFQ-HL51L0059.exe

windows7-x64

10

RFQ-HL51L0059.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    09901a54ab98188f848d44ed6017a202_JaffaCakes118

  • Size

    508KB

  • Sample

    240624-tvlctsvcrk

  • MD5

    09901a54ab98188f848d44ed6017a202

  • SHA1

    1f5a6fe0c7bc77a9a7f7989cd5782fbab6600110

  • SHA256

    e7c51f30d7e75372fc8c631a572d99c96ed3309430b7173b70e62f7a2c39b755

  • SHA512

    41ea27fd1bbde0d8cad9047a3b213d9f1ee783d8ceaf25d8e68c44c7b7148743ab254fa8894e0cceac070fb1926d43af3e07377378ec7c8d3dffc05ce1a93d81

  • SSDEEP

    12288:4v4tF6mQHmzo9q79LTAKm89YR/pEqQd01aRNI:4v4tF6PmZ79LkKmBR/Hmv3I

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

194.5.97.174:1360

Targets

    • Target

      RFQ-HL51L0059.exe

    • Size

      597KB

    • MD5

      8fe12be2c428274b2bcceed7724a3ff8

    • SHA1

      ddc562079d5351b90cb75d93c4249d20f86d00e0

    • SHA256

      5ed0a1eb2ec9b7d30cd842ef6fd6ca94befa246f096074d8a9bf0e699f11a076

    • SHA512

      646ccc482a71aa73119f23092833d09d5fd93aa18c465bff862fb2fea4ae4893278962bb21df0f84bf49794e169329ca5e8b9ffe5df54070ec62557809e77b04

    • SSDEEP

      12288:lPlSyAabGdmlZsEo9e79LTAcm80jcElkkJ6U9:lPl0abGdmrsq79LkcmsElvB

    Score
    10/10
    warzoneratinfostealerrat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks