General

  • Target

    2ac52205398c945a7aa9f2e4cafdec23ce93f0d89ea2554be2b33ff6acf80288

  • Size

    986KB

  • Sample

    220805-mqh9cabfg3

  • MD5

    5959e1cb8294ea113feff26db42fe2fa

  • SHA1

    6ecc39ed0b36720ec730ed480805ab0827a62b5f

  • SHA256

    2ac52205398c945a7aa9f2e4cafdec23ce93f0d89ea2554be2b33ff6acf80288

  • SHA512

    69f911b5128874d3a8b6889edff87ce0ad871b96640a4b72ecd4fd076c17c7d09b6d052dbaf8c5857d5a427bd2504fb51a4e8e026ca28d981e85f437defc1f53

Malware Config

Extracted

Family

warzonerat

C2

style.etanetsys.com:42020

Targets

    • Target

      2ac52205398c945a7aa9f2e4cafdec23ce93f0d89ea2554be2b33ff6acf80288

    • Size

      986KB

    • MD5

      5959e1cb8294ea113feff26db42fe2fa

    • SHA1

      6ecc39ed0b36720ec730ed480805ab0827a62b5f

    • SHA256

      2ac52205398c945a7aa9f2e4cafdec23ce93f0d89ea2554be2b33ff6acf80288

    • SHA512

      69f911b5128874d3a8b6889edff87ce0ad871b96640a4b72ecd4fd076c17c7d09b6d052dbaf8c5857d5a427bd2504fb51a4e8e026ca28d981e85f437defc1f53

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • ModiLoader Second Stage

    • Warzone RAT payload

    • Adds Run key to start application

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Discovery

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Privilege Escalation