General

  • Target

    Shipment Document BLINV and Packing list.exe

  • Size

    25KB

  • Sample

    211008-qzm6faeea6

  • MD5

    bd1b61722ae264d4f00a0fb412d12bc0

  • SHA1

    4188fa6acae6960268d2bc0512aea9dc08ba7486

  • SHA256

    58a5be83221386f1bae87b2a785b08c758591bcbc235b21132240feece1972bc

  • SHA512

    8feff8a854015545ac3b92d1e2d3242957ca504c6b5d89160951e64421c8c06d0643a6af3a6a436901eae43790741a642d8a71c91330bfccefcbfccb808ba6f6

Malware Config

Extracted

Family

warzonerat

C2

enginekeysmoney.ddns.net:9671

Targets

    • Target

      Shipment Document BLINV and Packing list.exe

    • Size

      25KB

    • MD5

      bd1b61722ae264d4f00a0fb412d12bc0

    • SHA1

      4188fa6acae6960268d2bc0512aea9dc08ba7486

    • SHA256

      58a5be83221386f1bae87b2a785b08c758591bcbc235b21132240feece1972bc

    • SHA512

      8feff8a854015545ac3b92d1e2d3242957ca504c6b5d89160951e64421c8c06d0643a6af3a6a436901eae43790741a642d8a71c91330bfccefcbfccb808ba6f6

    • Modifies WinLogon for persistence

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks