General

  • Target

    Scan-2021-10-06-89388399008827829020287278299276678292026368298.exe

  • Size

    349KB

  • Sample

    211007-fk9e1scbap

  • MD5

    393057b6f48539e0e740349a43b13a6a

  • SHA1

    96824dcbce0bcd6ae3298b1eeb425381f93267a7

  • SHA256

    a219440a18c85fe668a060a26192f359b7b881bae02e6871baadd89b7019da9c

  • SHA512

    d05059a2c422093a722ffd8f5de53c40b0343ecfd21322a3a692146bbb5aaaa72a7cb434d6941f01812e98ccf01c16d1226bf4a767476de9ca751b8dff79e11c

Malware Config

Extracted

Family

warzonerat

C2

176.126.86.243:2021

Targets

    • Target

      Scan-2021-10-06-89388399008827829020287278299276678292026368298.exe

    • Size

      349KB

    • MD5

      393057b6f48539e0e740349a43b13a6a

    • SHA1

      96824dcbce0bcd6ae3298b1eeb425381f93267a7

    • SHA256

      a219440a18c85fe668a060a26192f359b7b881bae02e6871baadd89b7019da9c

    • SHA512

      d05059a2c422093a722ffd8f5de53c40b0343ecfd21322a3a692146bbb5aaaa72a7cb434d6941f01812e98ccf01c16d1226bf4a767476de9ca751b8dff79e11c

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks