General

  • Target

    Vessel Documents ASF.7z

  • Size

    378KB

  • Sample

    210401-6qm7h1bm92

  • MD5

    9e7925e9724294f19395821cd3e5d50a

  • SHA1

    50ed2479cd7f1a8daf629c5057f75385db08bce3

  • SHA256

    83364075849df0402e0c8c3f01282f3c5cd84e3e820cbc1742bc389095126d4b

  • SHA512

    1806049bc5e36e44d98c58c6541d40d29b2a216b646dce115fe2b8e94544cac0a5550a191a439de6b25c03f1a0398a6b741d1c7862a5400f752e553d29d942c2

Malware Config

Extracted

Family

warzonerat

C2

172.93.187.92:1717

Targets

    • Target

      Vessel Documents ASF.exe

    • Size

      467KB

    • MD5

      08c6c5e68a6cc3a35e5fd0ccc2dadd5a

    • SHA1

      d90b14169f63959dcc32606f525f633980c7def6

    • SHA256

      6480908a20c070a7689d55d368cff5369b0345143cd15eb93a2cf6f72f0bad83

    • SHA512

      2a55e7ea548ad82b767506b45632f6ce44facc39d80613f0b767d378237fdc4d818ca6e145b45f07fee275d957b5bc928745a727ab1488f57e2b038430eee3ac

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Sets DLL path for service in the registry

    • Loads dropped DLL

    • Modifies WinLogon

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Winlogon Helper DLL

1
T1004

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Discovery

System Information Discovery

1
T1082

Tasks