General

  • Target

    ab298689aca1c3f608dbc57b1b676867dcf9eb22ade75fe48b1819ed89130dfb

  • Size

    885KB

  • Sample

    220804-py2rrsehf8

  • MD5

    aba54c4f3a8fba3ee730a9f05f2f4997

  • SHA1

    c67b99edc2c0b880038d6bd9f8179e9d165b1597

  • SHA256

    ab298689aca1c3f608dbc57b1b676867dcf9eb22ade75fe48b1819ed89130dfb

  • SHA512

    d6cf3cef20ba5879e0abab338e665914b3158c82f418dc02e80d734f07081c99ccec68c6b93db569014ee5438e8ce01d26cf59b151a780dee33bae7c02958868

Malware Config

Extracted

Family

warzonerat

C2

style.etanetsys.com:42020

Targets

    • Target

      ab298689aca1c3f608dbc57b1b676867dcf9eb22ade75fe48b1819ed89130dfb

    • Size

      885KB

    • MD5

      aba54c4f3a8fba3ee730a9f05f2f4997

    • SHA1

      c67b99edc2c0b880038d6bd9f8179e9d165b1597

    • SHA256

      ab298689aca1c3f608dbc57b1b676867dcf9eb22ade75fe48b1819ed89130dfb

    • SHA512

      d6cf3cef20ba5879e0abab338e665914b3158c82f418dc02e80d734f07081c99ccec68c6b93db569014ee5438e8ce01d26cf59b151a780dee33bae7c02958868

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • ModiLoader Second Stage

    • Warzone RAT payload

    • Adds Run key to start application

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Discovery

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Privilege Escalation