General
-
Target
IMG_1352.jpg
-
Size
429KB
-
Sample
231110-ehrxhscd77
-
MD5
70b7eb2116121bcd2165198fc02868a4
-
SHA1
28666cab9a29c035e63ab9b288c1ee2b69e3f90d
-
SHA256
aa5fee798a6686c5f724b07b79e38b374615f3408a308bec134ed67a871c2fa6
-
SHA512
c8a65cc10e0e1a49fe256c9693a80993b8ff335c392110bc9ac088200a7fd1f3a62259994ebb4aa8192d7b587f6fcf4e72a061045204a2d6dcf274622e3d6fe1
-
SSDEEP
6144:suTGYGzuvo5aotNvYt5jRNSsYbKuoVQXgq6P7NE21Z8XhxZteBzYc:suTGJzugHtpYxYsYbKvJq6P5E21Z8Plc
Static task
static1
Behavioral task
behavioral1
Sample
IMG_1352.jpg
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
IMG_1352.jpg
Resource
win10v2004-20231020-en
Malware Config
Extracted
warzonerat
168.61.222.215:5400
Targets
-
-
Target
IMG_1352.jpg
-
Size
429KB
-
MD5
70b7eb2116121bcd2165198fc02868a4
-
SHA1
28666cab9a29c035e63ab9b288c1ee2b69e3f90d
-
SHA256
aa5fee798a6686c5f724b07b79e38b374615f3408a308bec134ed67a871c2fa6
-
SHA512
c8a65cc10e0e1a49fe256c9693a80993b8ff335c392110bc9ac088200a7fd1f3a62259994ebb4aa8192d7b587f6fcf4e72a061045204a2d6dcf274622e3d6fe1
-
SSDEEP
6144:suTGYGzuvo5aotNvYt5jRNSsYbKuoVQXgq6P7NE21Z8XhxZteBzYc:suTGJzugHtpYxYsYbKvJq6P5E21Z8Plc
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Registers COM server for autorun
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1