General

  • Target

    212b1e774e310dbe4e92b01854f31d53.exe.vir

  • Size

    1.8MB

  • Sample

    220703-kej1dscafq

  • MD5

    8dabf738b94f546d629b31d470030fa0

  • SHA1

    9d7fd51b838445c916caa9e55039c9051ce75943

  • SHA256

    5bf69c13e82d68888f0474505d75f49989359cf6934194fc45abc22695ccf0f7

  • SHA512

    1998260ba729ca20469753c04be48b2b83c2d5c505a27d56b2f1a16b91bbf2177a753f3378cdf249df5de5d786721e52f9f5e7b93616b5536be6f936dae05fe4

Malware Config

Extracted

Family

warzonerat

C2

workstation2022.ddns.net:5254

Targets

    • Target

      212b1e774e310dbe4e92b01854f31d53.exe.vir

    • Size

      1.8MB

    • MD5

      8dabf738b94f546d629b31d470030fa0

    • SHA1

      9d7fd51b838445c916caa9e55039c9051ce75943

    • SHA256

      5bf69c13e82d68888f0474505d75f49989359cf6934194fc45abc22695ccf0f7

    • SHA512

      1998260ba729ca20469753c04be48b2b83c2d5c505a27d56b2f1a16b91bbf2177a753f3378cdf249df5de5d786721e52f9f5e7b93616b5536be6f936dae05fe4

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Windows security bypass

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Warzone RAT Payload

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Account Manipulation

1
T1098

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

3
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Tasks