Overview

overview

10

Static

static

1

DHL.exe

windows7_x64

10

DHL.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DHL.zip

  • Size

    143KB

  • Sample

    210414-8pez1zs4q6

  • MD5

    369aa53c3ca60a386504467e9069a2d0

  • SHA1

    abf9451d65e071e71df1d243d75174a63ebe81f5

  • SHA256

    6fc8a97e2f6a603c7540e600d30bdb8f0b82d7f9a9dc58defece0a17377abbda

  • SHA512

    76d63c2e60e3ebed6a6fc8b27f730fde61db83d53971cea6423020fae9336e9fd4b2eb16d93f4fb717c9caddf49d83092883ba17edbbebd8302a66b78d05b4d7

Score
10/10
warzoneratinfostealerpersistenceratspywarestealer

Malware Config

Extracted

Family

warzonerat

C2

103.199.17.185:5200

Targets

    • Target

      DHL.exe

    • Size

      155KB

    • MD5

      8ee83b23a03d6d86237eec9094745b0f

    • SHA1

      cd842c86f6e27eac4b25cd0cbf5f36d2eb5b92d1

    • SHA256

      485cc2e6034ba95ed0bc7f15273ae707c5c9ddec29e863c2a1f504379ce87dc7

    • SHA512

      b7ae33a588aaccabfa3b3e2e77c60318b0e5b72fb37958145dc31c505d282b533fabd6d40cb28c5b10140d677c1c48c1c0797efc345b0ad2068e5961b438358f

    Score
    10/10
    warzoneratinfostealerpersistenceratspywarestealer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Executes dropped EXE

    • Sets DLL path for service in the registry

      persistence

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Modifies WinLogon

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks