General

  • Target

    SecuriteInfo.com.IL.Trojan.MSILZilla.22184.14819.7977

  • Size

    888KB

  • Sample

    220726-jjnnpsfccp

  • MD5

    1bcd34738e63d6e4c67d56a5ab8d3cd0

  • SHA1

    8c8ee03272b9ec906ec060b39dd1b2ac0e820323

  • SHA256

    20f1a52cdcc9248da403d92ef63b76463276fbe27ef0cb8f7a5d862c325b1b5e

  • SHA512

    a095f1e9de182c0b6c01d6e7de354074b7df236dfe7ec568456b82252a675a3fe7e8a948e8c2b155b70a29f1a86b4e598ba8b2df83ed300345f0918c9b3b90c1

Malware Config

Extracted

Family

warzonerat

C2

51.195.145.82:5252

Targets

    • Target

      SecuriteInfo.com.IL.Trojan.MSILZilla.22184.14819.7977

    • Size

      888KB

    • MD5

      1bcd34738e63d6e4c67d56a5ab8d3cd0

    • SHA1

      8c8ee03272b9ec906ec060b39dd1b2ac0e820323

    • SHA256

      20f1a52cdcc9248da403d92ef63b76463276fbe27ef0cb8f7a5d862c325b1b5e

    • SHA512

      a095f1e9de182c0b6c01d6e7de354074b7df236dfe7ec568456b82252a675a3fe7e8a948e8c2b155b70a29f1a86b4e598ba8b2df83ed300345f0918c9b3b90c1

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks