General

  • Target

    invoice-2013790008755.bat

  • Size

    269KB

  • Sample

    211014-q6d64shfe4

  • MD5

    c37e3d75cffedf5dfd2710d0741012b8

  • SHA1

    e0ef0f784d7be7b19d1ebe3f37bc0380061d24eb

  • SHA256

    82572bb673e848ff6622ce079dd07a8434290e44499846952ddda1819d315db3

  • SHA512

    c03f377264a544b2b3116b0a4036030e814b907050abd784ebe2ea9170b31c08cb0c253d077495e0b1e1266e6f02299b39d2defa7487d07af15434c9c5d90a1b

Malware Config

Extracted

Family

warzonerat

C2

176.126.86.243:2021

Targets

    • Target

      invoice-2013790008755.bat

    • Size

      269KB

    • MD5

      c37e3d75cffedf5dfd2710d0741012b8

    • SHA1

      e0ef0f784d7be7b19d1ebe3f37bc0380061d24eb

    • SHA256

      82572bb673e848ff6622ce079dd07a8434290e44499846952ddda1819d315db3

    • SHA512

      c03f377264a544b2b3116b0a4036030e814b907050abd784ebe2ea9170b31c08cb0c253d077495e0b1e1266e6f02299b39d2defa7487d07af15434c9c5d90a1b

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Executes dropped EXE

    • Sets DLL path for service in the registry

    • Loads dropped DLL

    • Adds Run key to start application

    • Modifies WinLogon

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

2
T1060

Winlogon Helper DLL

1
T1004

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Discovery

System Information Discovery

1
T1082

Tasks