General

  • Target

    RFQ-PO5510318.doc

  • Size

    3KB

  • Sample

    221202-vrfhvaca2v

  • MD5

    73e90b8ab794140d531074ce5fbae281

  • SHA1

    8339de2af1ae803455af991acbf8694e5c060153

  • SHA256

    68b6c810be1854669614d9a1c371146ad2283ea737cd06ccbce96672bd559002

  • SHA512

    7524cd91b537b04a4d9fc7a6c279a57be33a27d98469700892d51f135d806ee87bfaa9d034b232a39746c3d3eb217dbeb0d482b430b2c380a012d148456a2dbb

Malware Config

Extracted

Family

warzonerat

C2

revive147.duckdns.org:6513

Targets

    • Target

      RFQ-PO5510318.doc

    • Size

      3KB

    • MD5

      73e90b8ab794140d531074ce5fbae281

    • SHA1

      8339de2af1ae803455af991acbf8694e5c060153

    • SHA256

      68b6c810be1854669614d9a1c371146ad2283ea737cd06ccbce96672bd559002

    • SHA512

      7524cd91b537b04a4d9fc7a6c279a57be33a27d98469700892d51f135d806ee87bfaa9d034b232a39746c3d3eb217dbeb0d482b430b2c380a012d148456a2dbb

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Exploitation for Client Execution

1
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks