General

  • Target

    oder mcdq.arj

  • Size

    848KB

  • Sample

    210507-drlrhvvtcx

  • MD5

    3ab2ef437054eab9c57e9b8bfb02f2d4

  • SHA1

    9c6b98e4362dc6aa752195aa4504fcb96b6f01aa

  • SHA256

    85676ce2ff8483e0e6167360c33caf0e023e5d51d236eec49f35a5159787ed4d

  • SHA512

    5084ee94bdf9d6a6f1d23594d26a4140627de26cb53da7199b8cd3f85082b6beb47ddaf45daf78e7d54fb9d9735a59a365906a695be8179b994fa68a92fce140

Malware Config

Extracted

Family

warzonerat

C2

193.169.255.128:2626

Targets

    • Target

      oder mcdq.exe

    • Size

      2MB

    • MD5

      a46e5071e79ad0c6977059d8e7979b9b

    • SHA1

      a0991039e331052b1ec81402a932ccfb7b9a2677

    • SHA256

      3416c2ee1eb4d7c1e64b7bba4e336d5de068992d0a4b09c114ba574c057c2eb7

    • SHA512

      b3b8e542b8c0d2f12689e28ee2956869b1ebdd0b4d5d6103972da1179bc87cea473cb5284643189592c03e015f4e7450eefd7609a1eb2c60b4d2ad3a4d4e1c0f

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks