General

  • Target

    DHL Notification.zip

  • Size

    151KB

  • Sample

    210414-yewgzseg46

  • MD5

    0ab22a0a0cb3980c01ac6cb936cd55f3

  • SHA1

    b16f747e2de14723433ad41d04f63417cbdc3e8a

  • SHA256

    e04b0a2d8cd202f1888fc4947458f5b3090d370470e511966432b53ba3d4dfad

  • SHA512

    61fda0f900d2c41bcb9b69159ecb1e5492744273ce5fc50f802238031b5da340a003bd8f923ba3464fbd799089306c28339be49e67871670ebcc2670ba622585

Malware Config

Extracted

Family

warzonerat

C2

103.199.17.185:5200

Targets

    • Target

      DHL Notification.exe

    • Size

      163KB

    • MD5

      eb15437018c4dda8bec1309dc09b2e14

    • SHA1

      0e05d49ff0f3fe7b68bbb6557ab726ab7655d3ac

    • SHA256

      0a488235c3301936360b952234816e277d5cf57f1521df8a3fe91f9103e2c241

    • SHA512

      78994e140aa0820399a831dcb1815b7add35e5c401a7ac93292fd869607c2d5ee5c5f5aa574eef17690f9a341980f8f7d8e7f3033695ea8674f410c60813b086

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Modifies WinLogon

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Winlogon Helper DLL

1
T1004

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks