General
-
Target
3b9d261305fdfb39200d29074961f6b0920a3a39149678d16d30a5df4adf9311
-
Size
2.9MB
-
Sample
240502-zhs5sshb54
-
MD5
87b8b088ea73759c02bae9f9f061ed4d
-
SHA1
0f3562e73511be4cddcba38316cbf0907dac786d
-
SHA256
3b9d261305fdfb39200d29074961f6b0920a3a39149678d16d30a5df4adf9311
-
SHA512
c1a31bf479423c15c69d878f72c104a69e18e420abb94bac02a8274e5c245d930110f0ba606e33599a285f0dece54dfe75c35af6e3bf71a18074055bde424ce7
-
SSDEEP
24576:7v97AXmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHt:7v97AXmw4gxeOw46fUbNecCCFbNecA
Malware Config
Targets
-
-
Target
3b9d261305fdfb39200d29074961f6b0920a3a39149678d16d30a5df4adf9311
-
Size
2.9MB
-
MD5
87b8b088ea73759c02bae9f9f061ed4d
-
SHA1
0f3562e73511be4cddcba38316cbf0907dac786d
-
SHA256
3b9d261305fdfb39200d29074961f6b0920a3a39149678d16d30a5df4adf9311
-
SHA512
c1a31bf479423c15c69d878f72c104a69e18e420abb94bac02a8274e5c245d930110f0ba606e33599a285f0dece54dfe75c35af6e3bf71a18074055bde424ce7
-
SSDEEP
24576:7v97AXmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHt:7v97AXmw4gxeOw46fUbNecCCFbNecA
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Detects executables packed with ASPack
-
Warzone RAT payload
-
Modifies Installed Components in the registry
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4