Overview

overview

10

Static

static

Dhl Arrival.exe

windows7_x64

10

Dhl Arrival.exe

windows10_x64

10

Dhl Notification.exe

windows7_x64

10

Dhl Notification.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Dhl Notification.zip

  • Size

    22KB

  • Sample

    210406-b6frcdqshe

  • MD5

    efcbf22580c7c17fff4235145af86e1a

  • SHA1

    ed8fde01aff29c459f1462356a8f574e03068fba

  • SHA256

    0ca60d33d6d026801f5c504c67b55ed7476567f63159c7d19547dfff90b3e095

  • SHA512

    854e582078f9981cd16dbd894c1be56c69a62d48f97e27b206d07d131dc3131c61e756c886dcb2f96ab5b5e864d8bf2d8caf2d733d28aee464cfd7e6a7e4c3a6

Score
10/10
agentteslawarzoneratevasioninfostealerkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

warzonerat

C2

103.199.17.185:5200

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    Smtp.atlassecuritys.com
  • Port:
    587
  • Username:
    holyman@atlassecuritys.com
  • Password:
    }I9@Yru*QfuS

Targets

    • Target

      Dhl Arrival.exe

    • Size

      25KB

    • MD5

      d8c4d7227e013682827d7dd15eb75c5d

    • SHA1

      435a7ff58f4ace3a87660cc087dd619528bf5904

    • SHA256

      45ce8266b766882c315625e5697ad038178bb3c5bc38fd43debd7cff0f93df6a

    • SHA512

      297c747e59af9b2bac175bfc746a894271eb54397b7ad0b3bee0479e28cacef29a0d63aa27260da44609ccf142fddbbe4a47ae33945b95ec53281fba4d79e1f2

    Score
    10/10
    warzoneratevasioninfostealerpersistencerattrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Turns off Windows Defender SpyNet reporting

      evasion

    • UAC bypass

      evasiontrojan

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Windows security bypass

      evasiontrojan

    • Nirsoft

    • Warzone RAT Payload

      rat

    • Executes dropped EXE

    • Sets DLL path for service in the registry

      persistence

    • Drops startup file

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Modifies WinLogon

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Dhl Notification.exe

    • Size

      28KB

    • MD5

      637e720356c1dae795f538c6b3ddcaf5

    • SHA1

      8f6ca0cac4fcb24ea770044ec3da90d162138edf

    • SHA256

      fc80e617c3370a42147ee2c7690dca01f3a70d0fcf435bb1265a6873bd7674ed

    • SHA512

      96262d4835b3026b473921d5a8b3c115c0958ebe55b5f4f737ea3dc237ae8fd6a21e59bf3e7c8d8b615a206e2d02f11a9c0a0cb4b02b0e204ac2f51bbd4ab54c

    Score
    10/10
    agentteslaevasionkeyloggerspywarestealertrojan
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2
T1031

Registry Run Keys / Startup Folder

2
T1060

Winlogon Helper DLL

1
T1004

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

13
T1112

Disabling Security Tools

9
T1089

Bypass User Account Control

1
T1088

Credential Access

Discovery

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks