General

  • Target

    oder mcdq.exe

  • Size

    3.0MB

  • Sample

    210507-g2cklhljh6

  • MD5

    a46e5071e79ad0c6977059d8e7979b9b

  • SHA1

    a0991039e331052b1ec81402a932ccfb7b9a2677

  • SHA256

    3416c2ee1eb4d7c1e64b7bba4e336d5de068992d0a4b09c114ba574c057c2eb7

  • SHA512

    b3b8e542b8c0d2f12689e28ee2956869b1ebdd0b4d5d6103972da1179bc87cea473cb5284643189592c03e015f4e7450eefd7609a1eb2c60b4d2ad3a4d4e1c0f

Malware Config

Extracted

Family

warzonerat

C2

193.169.255.128:2626

Targets

    • Target

      oder mcdq.exe

    • Size

      3.0MB

    • MD5

      a46e5071e79ad0c6977059d8e7979b9b

    • SHA1

      a0991039e331052b1ec81402a932ccfb7b9a2677

    • SHA256

      3416c2ee1eb4d7c1e64b7bba4e336d5de068992d0a4b09c114ba574c057c2eb7

    • SHA512

      b3b8e542b8c0d2f12689e28ee2956869b1ebdd0b4d5d6103972da1179bc87cea473cb5284643189592c03e015f4e7450eefd7609a1eb2c60b4d2ad3a4d4e1c0f

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks