Overview

overview

10

Static

static

Failed Del...gs.scr

windows7_x64

10

Failed Del...gs.scr

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Failed Delivery Logs.scr

  • Size

    192KB

  • Sample

    210119-g1n56g34y6

  • MD5

    c782821f3ea22873c247ed3524335b2a

  • SHA1

    83295352f00b346f15b7856ee89d24b1ab84dd95

  • SHA256

    9cc2f25b4bf0e3d246f8af3ea7ffa49a84824ff1e263ae66afe76365072f817c

  • SHA512

    be84f8c79b93329ea927505d11f9fe6249b7230c1e9bf54a4e15f2d08b6eed21ed3f57e7c588449b16dc6d57b4a1ce3e372d27d35f7c4ecbf5c9756926caa5b5

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

iphanyi.mywire.org:5552

Targets

    • Target

      Failed Delivery Logs.scr

    • Size

      192KB

    • MD5

      c782821f3ea22873c247ed3524335b2a

    • SHA1

      83295352f00b346f15b7856ee89d24b1ab84dd95

    • SHA256

      9cc2f25b4bf0e3d246f8af3ea7ffa49a84824ff1e263ae66afe76365072f817c

    • SHA512

      be84f8c79b93329ea927505d11f9fe6249b7230c1e9bf54a4e15f2d08b6eed21ed3f57e7c588449b16dc6d57b4a1ce3e372d27d35f7c4ecbf5c9756926caa5b5

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • Modifies WinLogon for persistence

      persistence

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks