General

  • Target

    jewelry Order.zip

  • Size

    20KB

  • Sample

    210405-3zm51kx3ys

  • MD5

    6f02df8811c1c596a39204b591de384c

  • SHA1

    c1a9bd6e3b7414551ca5104475b4c1ea1fe19dc8

  • SHA256

    41922728c35fd716130111dfc939384b50fe175b04f37ac1ab5c94426c1cb8f8

  • SHA512

    9f5dc095e033a36f35231e1e7eca022290b5cf4b6b61eab381185f078b18f288bd80ab3dd1f8fcc62020a4247ef0d45125d75c29f13617e9826e850ca3d8d961

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    Smtp.atlassecuritys.com
  • Port:
    587
  • Username:
    holyman@atlassecuritys.com
  • Password:
    }I9@Yru*QfuS

Extracted

Family

warzonerat

C2

103.199.17.185:5200

Targets

    • Target

      Pendants (2).exe

    • Size

      24KB

    • MD5

      fd27f0d132c4cfe0b8a63480d297007c

    • SHA1

      2132be80f51eb8044e330bbe013970649229b18a

    • SHA256

      7418a63befca526ff62f4a9230ecd45d82585e2612d0bf4c5baf14d3f4d984a4

    • SHA512

      c326bec33bdc411f1701ec070d48b1acd789dc6ed83c561472d5dca04faf21e7d8a022559d8dce960aba91f6d9d1479d544ac44fe4b8594504e734885c20a8ca

    • Target

      earings.exe

    • Size

      24KB

    • MD5

      b8a397c2bb7b7b13dda84893c34707de

    • SHA1

      aaafe2fbb98d4d52b47fab269efae6fb30882288

    • SHA256

      321b6f97457bc64a7fa264043d5f7ce3b6dc1ddd735daf77820580b2f7ff7a93

    • SHA512

      4851e9ede6e9179fae47f1304c306cae931302551452537a4bf8ff2aa6e194bdf0c12531da43d33d5bc990e4c3efa6f24a4822b5be20c5bcda66b964c4b1e846

    • Modifies Windows Defender Real-time Protection settings

    • Turns off Windows Defender SpyNet reporting

    • UAC bypass

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Windows security bypass

    • Nirsoft

    • Warzone RAT Payload

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Modifies WinLogon

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

2
T1031

Registry Run Keys / Startup Folder

1
T1060

Winlogon Helper DLL

1
T1004

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

12
T1112

Disabling Security Tools

9
T1089

Bypass User Account Control

1
T1088

Discovery

System Information Discovery

3
T1082

Tasks