Overview

overview

10

Static

static

SecuriteIn....0.rtf

windows7_x64

10

SecuriteIn....0.rtf

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SecuriteInfo.com.Troj.XMLDwn-AS.10120.0

  • Size

    813KB

  • Sample

    201205-kfgkcwfgm6

  • MD5

    03d11e6b979a69b7ebda725436ab236e

  • SHA1

    98ff07105b6e3972f79d9ad872730a2a7da1063d

  • SHA256

    1d0f4b56524f0e8aa3813ae9f2cdbf5a272167e28f11c3822c95d415347e5ba1

  • SHA512

    99a88a180fc52a3f21d68f12d933ec32fedcbe45243a886c9448150a690d4b660ff8385c0c94290c392f37a6defc0cb54da7fe82a61eb8e0f522602591d02e70

Score
10/10
warzoneratxpertratspecial xevasioninfostealerpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

httP://192.3.194.245/xpertorigin.exe

Extracted

Family

warzonerat

C2

195.140.214.82:6703

Extracted

Family

xpertrat

Version

3.0.10

Botnet

special X

C2

zytriew.duckdns.org:4145

papertyy.duckdns.org:4145

ghytrty.duckdns.org:4145
Mutex

A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1

Targets

    • Target

      SecuriteInfo.com.Troj.XMLDwn-AS.10120.0

    • Size

      813KB

    • MD5

      03d11e6b979a69b7ebda725436ab236e

    • SHA1

      98ff07105b6e3972f79d9ad872730a2a7da1063d

    • SHA256

      1d0f4b56524f0e8aa3813ae9f2cdbf5a272167e28f11c3822c95d415347e5ba1

    • SHA512

      99a88a180fc52a3f21d68f12d933ec32fedcbe45243a886c9448150a690d4b660ff8385c0c94290c392f37a6defc0cb54da7fe82a61eb8e0f522602591d02e70

    Score
    10/10
    warzoneratxpertratspecial xevasioninfostealerpersistenceratspywarestealertrojanupx

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      evasiontrojan

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Windows security bypass

      evasiontrojan

    • XpertRAT

      XpertRAT is a remote access trojan with various capabilities.

      ratxpertrat

    • XpertRAT Core Payload

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Warzone RAT Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets DLL path for service in the registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Modifies WinLogon

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3
T1060

Winlogon Helper DLL

1
T1004

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Modify Registry

9
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

4
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks