Overview

overview

10

Static

static

PaymentsSlip.exe

windows7-x64

1

PaymentsSlip.exe

windows10-2004-x64

10

Resubmissions

25-07-2022 07:47

220725-jmkffsbcfr 10

25-07-2022 07:22

220725-h7rjtsbag4 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7778926123.zip

  • Size

    374KB

  • Sample

    220725-jmkffsbcfr

  • MD5

    32c23fe70ffc00a2369cd68110ca282c

  • SHA1

    6c935d6de1abf0c68396fe869b89847894c611fe

  • SHA256

    c788a15c98cfa74cb9af145523baf59e36546f928e6054dc3e91c171f1b8e5bb

  • SHA512

    02006f229761b9fc33e8b2654a4f5667991a1125d97f1b25bcf333319ac6a57cece28fc518c07293d5d0c02da808d14da66b96acd60b9ae847d593fdce99384d

Score
10/10
modiloaderwarzoneratcollectioninfostealerpersistenceratsuricatatrojan

Malware Config

Extracted

Family

warzonerat

C2

194.5.97.6:7007

Targets

    • Target

      PaymentsSlip.exe

    • Size

      899KB

    • MD5

      49f570ee00750e7371ea4dfd4a274216

    • SHA1

      9ec78b1a99c27c22be8ab837997cd43a7c0561bf

    • SHA256

      f0949175ee4c6e72f3405816aac82be2863b1c6a01734e5750883da1362aa5ed

    • SHA512

      d3d9b59627b951c55a15feb83b25b44ff2a06ba4da06e678febe20aa53f0847dcc8c2fa90cf6812642b323e82d840207002c6322cb720725513ea7f02146b29e

    Score
    10/10
    modiloaderwarzoneratcollectioninfostealerpersistenceratsuricatatrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin

      suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin

      suricata

    • suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)

      suricata: ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)

      suricata

    • ModiLoader Second Stage

    • Warzone RAT payload

      rat

    • Sets DLL path for service in the registry

      persistence

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks