General

  • Target

    New order requirements.exe

  • Size

    626KB

  • Sample

    220804-hfsyksdacl

  • MD5

    6f2bff637bc69d5a8fd1c290a41476a5

  • SHA1

    a66db66c7eb34acbd228f62b45f5d6ba7eab70f2

  • SHA256

    88feac36d272543567fa2c4a9a055bc5d875c0bd3e6e2245f6c06fdb42c4cf59

  • SHA512

    b185ee83abad546a4d7d2b9291b5d28c527c377d428df27e1cede065e3e87ad8bbeab0580b0e17235db2c8ab7c6a4f2ace8578b1f062077b0f9fa19b7c0858c5

Malware Config

Extracted

Family

warzonerat

C2

172.93.165.201:5200

Targets

    • Target

      New order requirements.exe

    • Size

      626KB

    • MD5

      6f2bff637bc69d5a8fd1c290a41476a5

    • SHA1

      a66db66c7eb34acbd228f62b45f5d6ba7eab70f2

    • SHA256

      88feac36d272543567fa2c4a9a055bc5d875c0bd3e6e2245f6c06fdb42c4cf59

    • SHA512

      b185ee83abad546a4d7d2b9291b5d28c527c377d428df27e1cede065e3e87ad8bbeab0580b0e17235db2c8ab7c6a4f2ace8578b1f062077b0f9fa19b7c0858c5

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks