General

  • Target

    25e9a8ee4b351fae666fef02c717e49933b1ac834862fb1555585eec7d229b78

  • Size

    909KB

  • Sample

    220804-l8hj4aegep

  • MD5

    ebf9cc0cd95f6fe63b1eeac109012fa6

  • SHA1

    8d977b4c50f5770ed284891fa540b8b7eee9d7cd

  • SHA256

    25e9a8ee4b351fae666fef02c717e49933b1ac834862fb1555585eec7d229b78

  • SHA512

    00ed1a5847cba39ea0637bd9f9aa40ad584155ea7ce7202b20baff1a7062aca2699575976e2cee0d363c5323a241de6080494d112951f4bca8e8a76b6f07c10a

Malware Config

Extracted

Family

warzonerat

C2

20.91.187.223:5707

Targets

    • Target

      25e9a8ee4b351fae666fef02c717e49933b1ac834862fb1555585eec7d229b78

    • Size

      909KB

    • MD5

      ebf9cc0cd95f6fe63b1eeac109012fa6

    • SHA1

      8d977b4c50f5770ed284891fa540b8b7eee9d7cd

    • SHA256

      25e9a8ee4b351fae666fef02c717e49933b1ac834862fb1555585eec7d229b78

    • SHA512

      00ed1a5847cba39ea0637bd9f9aa40ad584155ea7ce7202b20baff1a7062aca2699575976e2cee0d363c5323a241de6080494d112951f4bca8e8a76b6f07c10a

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • ModiLoader Second Stage

    • Warzone RAT payload

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks