General

  • Target

    Tax_Documents.docx

  • Size

    290KB

  • Sample

    220406-vtq3csfgd5

  • MD5

    e7bc410788af86fe5e41695dd0ae308b

  • SHA1

    8d9f55c90db961ea66993fd03e148b0dc9bcec5b

  • SHA256

    8056c874a9bc6c2204ab4ea45a6f0ef4f2de0302e367695fdfd3599e4509df55

  • SHA512

    2cd785643c49bd7ec7939e2684d9c4d12168d68df8ad554f2a6fcf9908cbd6fda8bc96d85c5828c8cd6085505a9b4348e031a74d30dc22ba9aee818b4e80d320

Malware Config

Extracted

Family

warzonerat

C2

mubbibun.duckdns.org:999

Targets

    • Target

      Tax_Documents.docx

    • Size

      290KB

    • MD5

      e7bc410788af86fe5e41695dd0ae308b

    • SHA1

      8d9f55c90db961ea66993fd03e148b0dc9bcec5b

    • SHA256

      8056c874a9bc6c2204ab4ea45a6f0ef4f2de0302e367695fdfd3599e4509df55

    • SHA512

      2cd785643c49bd7ec7939e2684d9c4d12168d68df8ad554f2a6fcf9908cbd6fda8bc96d85c5828c8cd6085505a9b4348e031a74d30dc22ba9aee818b4e80d320

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Async RAT payload

    • Warzone RAT Payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks