General

  • Target

    PO for ART IMPEX GROUP LLP.doc

  • Size

    1.0MB

  • Sample

    210719-h3vx5wbrh2

  • MD5

    35c9dcf7c4a922996d01cd1172e5ee72

  • SHA1

    f04b7261c7209fbca4a6ca7b64d52b24fb0a0bef

  • SHA256

    f415487e104efb2d80000858f7942cd9db73526601066eca5e63d99a50926298

  • SHA512

    7b1c68f5aa7bdfc3df156c4813d70c518adf570bfc82f4cbad72a487949303b988c8f355715d78f2d07c67a1a8ad3c3f86ce10dc1dd0eaf649b1b1a28b767900

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

httP://freebeeskatobi.ydns.eu/obi1.exe

Extracted

Family

warzonerat

C2

dfdgdsasedw.ydns.eu:34566

Targets

    • Target

      PO for ART IMPEX GROUP LLP.doc

    • Size

      1.0MB

    • MD5

      35c9dcf7c4a922996d01cd1172e5ee72

    • SHA1

      f04b7261c7209fbca4a6ca7b64d52b24fb0a0bef

    • SHA256

      f415487e104efb2d80000858f7942cd9db73526601066eca5e63d99a50926298

    • SHA512

      7b1c68f5aa7bdfc3df156c4813d70c518adf570bfc82f4cbad72a487949303b988c8f355715d78f2d07c67a1a8ad3c3f86ce10dc1dd0eaf649b1b1a28b767900

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • AgentTesla Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Modifies WinLogon

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Winlogon Helper DLL

1
T1004

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Collection

Data from Local System

1
T1005

Tasks