General
-
Target
LisectAVT_2403002A_44.exe
-
Size
250KB
-
Sample
240725-ayjtmazfjg
-
MD5
1de50898c006fcc7d1924a6df312f8e2
-
SHA1
7b1ae04725421af4e1609bc1594d01691643613f
-
SHA256
f901f4b9437419d09352abcdec1a1e7bb1b511adbee059c42695753575b2b77c
-
SHA512
60d919aabbe922194e52e4b3834fb2ef8242427e851bff023cf3059c4bbf8574df318667b790638f7fc995872e2e35b572a4b0f3991dfc61150b1bba4b40d79c
-
SSDEEP
6144:jNc88VTZVxiL2CzS3vlm8LkuJKjWZSLV64:y88Vt7iLVWvU8LdmV
Static task
static1
Behavioral task
behavioral1
Sample
LisectAVT_2403002A_44.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
LisectAVT_2403002A_44.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
warzonerat
216.250.253.35:2356
Targets
-
-
Target
LisectAVT_2403002A_44.exe
-
Size
250KB
-
MD5
1de50898c006fcc7d1924a6df312f8e2
-
SHA1
7b1ae04725421af4e1609bc1594d01691643613f
-
SHA256
f901f4b9437419d09352abcdec1a1e7bb1b511adbee059c42695753575b2b77c
-
SHA512
60d919aabbe922194e52e4b3834fb2ef8242427e851bff023cf3059c4bbf8574df318667b790638f7fc995872e2e35b572a4b0f3991dfc61150b1bba4b40d79c
-
SSDEEP
6144:jNc88VTZVxiL2CzS3vlm8LkuJKjWZSLV64:y88Vt7iLVWvU8LdmV
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Warzone RAT payload
-
Modifies Windows Firewall
-
Server Software Component: Terminal Services DLL
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Modifies WinLogon
-
Drops file in System32 directory
-
Hide Artifacts: Hidden Users
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Users
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1