General

  • Target

    Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe

  • Size

    1.1MB

  • Sample

    220802-r9vtpshcck

  • MD5

    3506f47af9280b0cee32f9bc9319b461

  • SHA1

    23c228520bd16733e7cc54fbf1f4bc48b897a2d9

  • SHA256

    9d2a6a4d069a3d2ad99a117b411facbc86de0102a65bf5027c6b0f7dd0ae9014

  • SHA512

    e6bd29c8c884a570fc295ac426f0818657dad7bea68023ccff0c7292fd2af71a13e0edc788186651fdc40a5bcd040b6adac61be27058ed4dcfefafeb89dd73a9

Malware Config

Extracted

Family

warzonerat

C2

pentester01.duckdns.org:53078

Targets

    • Target

      Tender_L2-UAE001930-gwyoyqlbopdd.xlsx.exe

    • Size

      1.1MB

    • MD5

      3506f47af9280b0cee32f9bc9319b461

    • SHA1

      23c228520bd16733e7cc54fbf1f4bc48b897a2d9

    • SHA256

      9d2a6a4d069a3d2ad99a117b411facbc86de0102a65bf5027c6b0f7dd0ae9014

    • SHA512

      e6bd29c8c884a570fc295ac426f0818657dad7bea68023ccff0c7292fd2af71a13e0edc788186651fdc40a5bcd040b6adac61be27058ed4dcfefafeb89dd73a9

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • ModiLoader Second Stage

    • Warzone RAT payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks