General

  • Target

    Doc_30710489927_019_00003_00000095.PDF.exe

  • Size

    894KB

  • Sample

    220222-sg4rksbcgp

  • MD5

    7f6ab75be580b393be36e6f719a81160

  • SHA1

    7f0868bbb588515f2e5736d4af50586200edf40d

  • SHA256

    e62c0426c4787b0ac507f10bd9d3b6439dd8e5a3558bf6be2c2fbee698753d34

  • SHA512

    d53eda31af74ec0fab6421c9d62bd525b5dcf11c97f73cdc052fc57a8c586d06ac4c2bce2e8d49306e5273b8da6af877fd09db467495e0211cec0110687f7a73

Malware Config

Extracted

Family

warzonerat

C2

hafiznor336.duckdns.org:8593

Targets

    • Target

      Doc_30710489927_019_00003_00000095.PDF.exe

    • Size

      894KB

    • MD5

      7f6ab75be580b393be36e6f719a81160

    • SHA1

      7f0868bbb588515f2e5736d4af50586200edf40d

    • SHA256

      e62c0426c4787b0ac507f10bd9d3b6439dd8e5a3558bf6be2c2fbee698753d34

    • SHA512

      d53eda31af74ec0fab6421c9d62bd525b5dcf11c97f73cdc052fc57a8c586d06ac4c2bce2e8d49306e5273b8da6af877fd09db467495e0211cec0110687f7a73

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks