General
-
Target
SecuriteInfo.com.Variant.Lazy.264437.6912.26926.exe
-
Size
727KB
-
Sample
221121-nt1hgagh29
-
MD5
11fdd18da995241a7e74cc35d65de2db
-
SHA1
fbe27c616e9d2f6b72fc40a1756ae4e4b4723ae3
-
SHA256
6a4d569d0a0b08dfc52d10256bf3b384eaf57a3331a23b0456a109abcf772efd
-
SHA512
bb4a0895fb234f5e90c35201a4c10b3b035e22dd4ab57d5a214d08e835cea0f49a8584f0a623a3efd389ed86bf9fb67ab2bc1f6e20eef42efd9917a84c877cd6
-
SSDEEP
12288:KQqDi5HYIsMzxl5PMuU9M4YTIjXnhBzDwvy2HAA:NvNsqlKjXhB92H9
Malware Config
Targets
-
-
Target
SecuriteInfo.com.Variant.Lazy.264437.6912.26926.exe
-
Size
727KB
-
MD5
11fdd18da995241a7e74cc35d65de2db
-
SHA1
fbe27c616e9d2f6b72fc40a1756ae4e4b4723ae3
-
SHA256
6a4d569d0a0b08dfc52d10256bf3b384eaf57a3331a23b0456a109abcf772efd
-
SHA512
bb4a0895fb234f5e90c35201a4c10b3b035e22dd4ab57d5a214d08e835cea0f49a8584f0a623a3efd389ed86bf9fb67ab2bc1f6e20eef42efd9917a84c877cd6
-
SSDEEP
12288:KQqDi5HYIsMzxl5PMuU9M4YTIjXnhBzDwvy2HAA:NvNsqlKjXhB92H9
Score10/10-
Modifies WinLogon for persistence
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets DLL path for service in the registry
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-