General
-
Target
e7a1e987b6b6f848be3c5713842ec200_NEIKI
-
Size
1.8MB
-
Sample
240508-sk1t4acg69
-
MD5
e7a1e987b6b6f848be3c5713842ec200
-
SHA1
695668f68adfa96a675f525bd4281c3fa98d679d
-
SHA256
3715bbf15925cbe0675a27190a24167797ead0e9a10142619459a45b140b3d8d
-
SHA512
83a31d8373f9e767115379383a24bb07acbf020497c4b620596ad8f60470bad7f96de3a1322f214011e5ddd89c0b3a186cc5d22c48491aed087a45c9bd0079b9
-
SSDEEP
12288:L99Vbpgx4OuE+aCpBPY0PkI686WNUfWO6yuXzT5SPlSGN5A7W2FeDSIGVH/KIDge:J1gg4CppEI6GGfWDkIQDbGV6eH81k3
Malware Config
Targets
-
-
Target
e7a1e987b6b6f848be3c5713842ec200_NEIKI
-
Size
1.8MB
-
MD5
e7a1e987b6b6f848be3c5713842ec200
-
SHA1
695668f68adfa96a675f525bd4281c3fa98d679d
-
SHA256
3715bbf15925cbe0675a27190a24167797ead0e9a10142619459a45b140b3d8d
-
SHA512
83a31d8373f9e767115379383a24bb07acbf020497c4b620596ad8f60470bad7f96de3a1322f214011e5ddd89c0b3a186cc5d22c48491aed087a45c9bd0079b9
-
SSDEEP
12288:L99Vbpgx4OuE+aCpBPY0PkI686WNUfWO6yuXzT5SPlSGN5A7W2FeDSIGVH/KIDge:J1gg4CppEI6GGfWDkIQDbGV6eH81k3
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Modifies Installed Components in the registry
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1