General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
-
Sample
240706-wlqx3axgpm
Malware Config
Extracted
warzonerat
168.61.222.215:5400
Extracted
revengerat
Guest
0.tcp.ngrok.io:19521
RV_MUTEX
Extracted
modiloader
https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download
Extracted
crimsonrat
185.136.161.124
Targets
-
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Score10/10-
CrimsonRAT main payload
-
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
UAC bypass
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
ModiLoader First Stage
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Renames multiple (561) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
RevengeRat Executable
-
Warzone RAT payload
-
Adds policy Run key to start application
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Modifies Windows Firewall
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Drops startup file
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Modifies system executable filetype association
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Windows Management Instrumentation
1Scripting
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
8Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
1Disable or Modify System Firewall
1Safe Mode Boot
1Indicator Removal
2File Deletion
2Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Hide Artifacts
2Hidden Files and Directories
2Scripting
1Direct Volume Access
1