ddb25c6d3894be202a4ee4b061ce010d

General
Target

ddb25c6d3894be202a4ee4b061ce010d

Size

893KB

Sample

210915-hn8c8sdagn

Score
10 /10
MD5

ddb25c6d3894be202a4ee4b061ce010d

SHA1

5e87d177b7ca71c46f7c37d13a2de5e04b97549d

SHA256

8035847afc188fc0c7f878b148ffae82d22f6594386539255cdfc4b5d5deb8c0

SHA512

b8e5caeb723f259c30cb34f2049e4051e0b7f3b4b4cd599a8729501875adf97b0c600e694c811f0909d2af84eb240cd6f01fd55a368a698f70dced6f410d78f2

Malware Config

Extracted

Family warzonerat
C2

severdops.ddns.net:3311

Targets
Target

ddb25c6d3894be202a4ee4b061ce010d

MD5

ddb25c6d3894be202a4ee4b061ce010d

Filesize

893KB

Score
10 /10
SHA1

5e87d177b7ca71c46f7c37d13a2de5e04b97549d

SHA256

8035847afc188fc0c7f878b148ffae82d22f6594386539255cdfc4b5d5deb8c0

SHA512

b8e5caeb723f259c30cb34f2049e4051e0b7f3b4b4cd599a8729501875adf97b0c600e694c811f0909d2af84eb240cd6f01fd55a368a698f70dced6f410d78f2

Tags

Signatures

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify Registry Modify Existing Service Disabling Security Tools
  • Turns off Windows Defender SpyNet reporting

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • UAC bypass

    Tags

    TTPs

    Bypass User Account Control Disabling Security Tools Modify Registry
  • WarzoneRat, AveMaria

    Description

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • Looks for VirtualBox Guest Additions in registry

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Nirsoft

  • Executes dropped EXE

  • Looks for VMWare Tools registry key

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Windows security modification

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Maps connected drives based on registry

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation