General

  • Target

    new order 2400 kgs Rab01.r20

  • Size

    224KB

  • Sample

    210916-txvpaagfbn

  • MD5

    612a884c54d5d39cad07838d30d89059

  • SHA1

    a2a765582277881ffe77fbd0bb38bc16de889139

  • SHA256

    fd56f8b43cd591ad84e41fbb54b17d689e011b15682b64da77ea4ddd9a3975e7

  • SHA512

    73689bd49b07331b0b57050b7e1b0c03b49efdf9f0ad23e3252423cdf7087f593847f7735d18e28fc9abbd6113547c1b075d0ca1ebec0c5468a9e661d3f0513f

Malware Config

Extracted

Family

warzonerat

C2

warzonepw.ddns.net:6476

Targets

    • Target

      new order 2400 kgs Rab01.scr

    • Size

      511KB

    • MD5

      ba549f38762c8cd2f324e2b83a859941

    • SHA1

      bc169ac418ddbc27aa30ff8604bda9dea108701e

    • SHA256

      25f47ed157aa94606c83548e5a8f345d88374f9514ee89a5ab96ca77b5aebb18

    • SHA512

      744b7f47e80a44726aee322be7f685c07575ab0b2fe0a6da0a2d0820354bbb1bf85731094576e6442af9a55a147f0726fdb04fd9079f10fc2ba98067b5347a00

    • Modifies WinLogon for persistence

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks