Resubmissions

25-07-2022 07:47

220725-jmkffsbcfr 10

25-07-2022 07:22

220725-h7rjtsbag4 10

General

  • Target

    7778926123.zip

  • Size

    374KB

  • Sample

    220725-h7rjtsbag4

  • MD5

    32c23fe70ffc00a2369cd68110ca282c

  • SHA1

    6c935d6de1abf0c68396fe869b89847894c611fe

  • SHA256

    c788a15c98cfa74cb9af145523baf59e36546f928e6054dc3e91c171f1b8e5bb

  • SHA512

    02006f229761b9fc33e8b2654a4f5667991a1125d97f1b25bcf333319ac6a57cece28fc518c07293d5d0c02da808d14da66b96acd60b9ae847d593fdce99384d

Malware Config

Extracted

Family

warzonerat

C2

194.5.97.6:7007

Targets

    • Target

      PaymentsSlip.exe

    • Size

      899KB

    • MD5

      49f570ee00750e7371ea4dfd4a274216

    • SHA1

      9ec78b1a99c27c22be8ab837997cd43a7c0561bf

    • SHA256

      f0949175ee4c6e72f3405816aac82be2863b1c6a01734e5750883da1362aa5ed

    • SHA512

      d3d9b59627b951c55a15feb83b25b44ff2a06ba4da06e678febe20aa53f0847dcc8c2fa90cf6812642b323e82d840207002c6322cb720725513ea7f02146b29e

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • ModiLoader Second Stage

    • Warzone RAT payload

    • Sets DLL path for service in the registry

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks