General

  • Target

    Perfectly Clear Workbench SAMPLE.zip

  • Size

    21.0MB

  • Sample

    211211-yx1mrabfb4

  • MD5

    d69f61d6bbb1953483e555a200f00fe9

  • SHA1

    8742a7ae0f0aa6ba984a9d97766777bdd86d7a41

  • SHA256

    bd2c2c4d451fbf0d9a21766f08469add420e1ebd09e8f3cec61f200418b238d5

  • SHA512

    2cc13db7595452f3f0588e039338eccaaf156bfefe345b772e255bd14e4ae90d6dddf0e8d815ff363afe956e7f5954218f7c3a2a67c52e1dabe0f3dbd45222b4

Malware Config

Extracted

Family

warzonerat

C2

95.168.173.176:5200

Targets

    • Target

      Perfectly Clear Workbench.exe

    • Size

      22.7MB

    • MD5

      07c8ab309a013e4786c9587db7a65bdf

    • SHA1

      ef8ab1daf015590cf14ce47a350a99c82b71d125

    • SHA256

      9f9f34da4353b46d4b59673ac0520cdf7bd5a513c0590dfde99363cf5f1db657

    • SHA512

      ef392d50539d36eac9609ffcd76a68fa2e18b9fde03e2f8d4554a557e1bd093129aae302211b0ccd04f39b277feff7067cf0bf33b34604e0ab5a3f8d34dfadf2

    • Modifies WinLogon for persistence

    • RevcodeRat, WebMonitorRat

      WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • WebMonitor Payload

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Tasks