General

  • Target

    DHL ARRIVAL.exe

  • Size

    24KB

  • Sample

    210405-j8ppylh5mx

  • MD5

    b8a397c2bb7b7b13dda84893c34707de

  • SHA1

    aaafe2fbb98d4d52b47fab269efae6fb30882288

  • SHA256

    321b6f97457bc64a7fa264043d5f7ce3b6dc1ddd735daf77820580b2f7ff7a93

  • SHA512

    4851e9ede6e9179fae47f1304c306cae931302551452537a4bf8ff2aa6e194bdf0c12531da43d33d5bc990e4c3efa6f24a4822b5be20c5bcda66b964c4b1e846

Malware Config

Extracted

Family

warzonerat

C2

103.199.17.185:5200

Targets

    • Target

      DHL ARRIVAL.exe

    • Size

      24KB

    • MD5

      b8a397c2bb7b7b13dda84893c34707de

    • SHA1

      aaafe2fbb98d4d52b47fab269efae6fb30882288

    • SHA256

      321b6f97457bc64a7fa264043d5f7ce3b6dc1ddd735daf77820580b2f7ff7a93

    • SHA512

      4851e9ede6e9179fae47f1304c306cae931302551452537a4bf8ff2aa6e194bdf0c12531da43d33d5bc990e4c3efa6f24a4822b5be20c5bcda66b964c4b1e846

    • Modifies Windows Defender Real-time Protection settings

    • Turns off Windows Defender SpyNet reporting

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Windows security bypass

    • Nirsoft

    • Warzone RAT Payload

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Windows security modification

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Defense Evasion

Modify Registry

4
T1112

Disabling Security Tools

4
T1089

Discovery

System Information Discovery

1
T1082

Tasks