Ave Maria / Warzone RAT
date: 4/27/2021
delivery: email [Subject: Requirement, Attachment: Zip (Requirement.7z) w/ EXE (Sales Order.xlss.exe)
persistence: scheduled task "Updates\xSaltlJa" out of c:\users\<userid>\Roaming\xSZaltlJa.exe
capabilities (per memory strings): N/A
c2s: 104.209.133.4:7500
identification method: in-memory strings say "Ave_Maria"
special notes: in-memory references to security researcher "Vitali Kremez"
samples:
7z - https://www.virustotal.com/gui/file/86b17ec2dd6ff42243356c4bf06e7b20fb044bba13d74c342c3df706e98484bd/detection
unpacked exe - https://www.virustotal.com/gui/file/e85769eee5f2539084a2da5bf79027849249130be251d1f2e8b3de0021d194ab/detection
links: https://twitter.com/neonprimetime/status/1387139547025260547
screenshots:
---------------------------------------------------
date: 4/13/2021
delivery: email [Subject: Wholesale Price List, Attachment: XLSB (1-Copy of Quote Industro Sheet 20210413.xlsb, "Digicert logo themed", downloads maskcovld[.]ga/token/rfq/DrawingKit.exe )
persistence: unknown
capabilities (per memory strings): unknown
c2s: crf.eur-import[.]com:6021
identification method: twitter replies
special notes: none
samples:
File - https://app.any.run/tasks/0cf85641-e5be-4979-9e97-8afc0f30fa67/
Payload - https://tria.ge/210413-mp9t774whx
links: https://twitter.com/neonprimetime/status/1381955462967476228
screenshots:
---------------------------------------------------
