General

  • Target

    12f445be3eb360cb621537a9ecc077063399643860a2ee26588b69e1f13b6c84.xls

  • Size

    1MB

  • Sample

    221203-bhcaaaeg2s

  • MD5

    46980a1034c1e50936ed93d06a2a0168

  • SHA1

    f99b8d7797a6f34376a435e77879d2966facb926

  • SHA256

    12f445be3eb360cb621537a9ecc077063399643860a2ee26588b69e1f13b6c84

  • SHA512

    b719861c389640c1e43fc812cd770298ff87f31d7ea87a447217dae94cdab7a2326a45dc7d2a79f612c7deef18679f3016eb99d10279c085c4a718bb8da369f1

  • SSDEEP

    24576:dg9r5XXXXXXXXXXXXUXXXXXXXSXXXXXXXXSm9r5XXXXXXXXXXXXUXXXXXXXSXXXH:kTsp2m2

Malware Config

Targets

    • Target

      12f445be3eb360cb621537a9ecc077063399643860a2ee26588b69e1f13b6c84.xls

    • Size

      1MB

    • MD5

      46980a1034c1e50936ed93d06a2a0168

    • SHA1

      f99b8d7797a6f34376a435e77879d2966facb926

    • SHA256

      12f445be3eb360cb621537a9ecc077063399643860a2ee26588b69e1f13b6c84

    • SHA512

      b719861c389640c1e43fc812cd770298ff87f31d7ea87a447217dae94cdab7a2326a45dc7d2a79f612c7deef18679f3016eb99d10279c085c4a718bb8da369f1

    • SSDEEP

      24576:dg9r5XXXXXXXXXXXXUXXXXXXXSXXXXXXXXSm9r5XXXXXXXXXXXXUXXXXXXXSXXXH:kTsp2m2

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Exploitation for Client Execution

1
T1203

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks