General

  • Target

    Takwindo-Transaction copy.pdf.bat

  • Size

    459KB

  • Sample

    211125-t39qdsfgel

  • MD5

    f75b317c23bd1e7e7c38e826ef5b1594

  • SHA1

    f49c5ef685eadb6f4a1113e09c38d5c09c4ef90f

  • SHA256

    72443331a855a0b11747c50831fc847fcab27998d613e548346194d4d610aa22

  • SHA512

    143baca1c92638c6ef81cc923c8e03ff2f71bf4119a3466ab808638a4f9fd08c99b20eceee82e8c28860bffe30ebd20a1427d5c2f8b0d58dcfc449ea922dc9df

Malware Config

Extracted

Family

warzonerat

C2

5.2.68.91:62520

Targets

    • Target

      Takwindo-Transaction copy.pdf.bat

    • Size

      459KB

    • MD5

      f75b317c23bd1e7e7c38e826ef5b1594

    • SHA1

      f49c5ef685eadb6f4a1113e09c38d5c09c4ef90f

    • SHA256

      72443331a855a0b11747c50831fc847fcab27998d613e548346194d4d610aa22

    • SHA512

      143baca1c92638c6ef81cc923c8e03ff2f71bf4119a3466ab808638a4f9fd08c99b20eceee82e8c28860bffe30ebd20a1427d5c2f8b0d58dcfc449ea922dc9df

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Looks for VirtualBox Guest Additions in registry

    • Warzone RAT Payload

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Tasks