General

  • Target

    Avast-install.ace

  • Size

    842KB

  • Sample

    210707-cz83gm1ebx

  • MD5

    c028ef7fb63423a32ab156e5ed8885cd

  • SHA1

    5258ca2434f659a0cffe25ba6ae54cbc1760a889

  • SHA256

    5de84aa2add47410864a29eaeedae99fbd485681eedec214c9e7e65de36a5035

  • SHA512

    b600a6fb98f48eae7acfece839fff416e665e4c66c0550b281613604e3152ea2615c9c64eee109a0fe026ca6c04d7b3bca94882501046d6a9dfcaa6206e5b4e6

Malware Config

Extracted

Family

warzonerat

C2

msteelwar.ddns.net:47680

Targets

    • Target

      Avast-install.exe

    • Size

      3.1MB

    • MD5

      c0096c0b89bd0f639eda7ac0c2ace030

    • SHA1

      e470692a6e9fe2533edfacc9646b8b85a63e39a8

    • SHA256

      a90d8742974ccf9df7d736eed7b071aa280c614368dd18114edd8384d9506621

    • SHA512

      a0e53925fb081937130f1d6fb60f448edde4d6e4fa80c88167459931eae023699b3d2e593b41a22f2d6dd93f51056c0925dc0f3b91d086f23c4d9bef060d4651

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks