General
-
Target
5552ca3a8382cea28092d7f1055c38d3aa74e55775ff608f221b6468d304597c
-
Size
1.8MB
-
Sample
240809-1eapqazepp
-
MD5
1c165fa07835c8d2fb59735fce8f3390
-
SHA1
ec936e2ca77b5c43a645de95ab26cf0aa06af1cc
-
SHA256
5552ca3a8382cea28092d7f1055c38d3aa74e55775ff608f221b6468d304597c
-
SHA512
17d3fb5cb3da4e79876922e33dc9461c0f275478d1ca7cf177a565d30d9110efbaa3a813a98eb6f80a20684ee08c7dac21646159f0b98bcfbc5e10ae05562802
-
SSDEEP
12288:i254f/VAuj79umm3xR0lq+X6kOyeXiYxewRJBWW59qA7W2FeDSIGVH/KIDgDgUec:x+D9uVMpjOyerrFQDbGV6eH81kg
Malware Config
Targets
-
-
Target
5552ca3a8382cea28092d7f1055c38d3aa74e55775ff608f221b6468d304597c
-
Size
1.8MB
-
MD5
1c165fa07835c8d2fb59735fce8f3390
-
SHA1
ec936e2ca77b5c43a645de95ab26cf0aa06af1cc
-
SHA256
5552ca3a8382cea28092d7f1055c38d3aa74e55775ff608f221b6468d304597c
-
SHA512
17d3fb5cb3da4e79876922e33dc9461c0f275478d1ca7cf177a565d30d9110efbaa3a813a98eb6f80a20684ee08c7dac21646159f0b98bcfbc5e10ae05562802
-
SSDEEP
12288:i254f/VAuj79umm3xR0lq+X6kOyeXiYxewRJBWW59qA7W2FeDSIGVH/KIDgDgUec:x+D9uVMpjOyerrFQDbGV6eH81kg
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4