Overview

overview

10

Static

static

Shipment D...st.exe

windows7_x64

1

Shipment D...st.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Shipment Document BLINV and Packing list.exe

  • Size

    28KB

  • Sample

    211008-tx4xysefg2

  • MD5

    27b39b21bafc4a47a9504ecff0e785d7

  • SHA1

    531ab011827017043933ca264729487265961975

  • SHA256

    bcc35ce72f7559e9cd1431d3fa0f7ed33cd7f3b5d0cb21970c8e399296527469

  • SHA512

    5a866c1659d13129b96de5ac736005cf227182d10212ad45a56976cbbf2e7a588ca8967fe66d05dc3220b495bfc717823fdcddd0bf18b4b69eaa711bb0c2ff40

Score
10/10
warzoneratcollectioninfostealerpersistenceratspywarestealer

Malware Config

Extracted

Family

warzonerat

C2

enginekeysmoney.ddns.net:9671

Targets

    • Target

      Shipment Document BLINV and Packing list.exe

    • Size

      28KB

    • MD5

      27b39b21bafc4a47a9504ecff0e785d7

    • SHA1

      531ab011827017043933ca264729487265961975

    • SHA256

      bcc35ce72f7559e9cd1431d3fa0f7ed33cd7f3b5d0cb21970c8e399296527469

    • SHA512

      5a866c1659d13129b96de5ac736005cf227182d10212ad45a56976cbbf2e7a588ca8967fe66d05dc3220b495bfc717823fdcddd0bf18b4b69eaa711bb0c2ff40

    Score
    10/10
    warzoneratcollectioninfostealerpersistenceratspywarestealer

    • Modifies WinLogon for persistence

      persistence

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks