General
-
Target
b8ed07544ff8e68585ffb4b9fd228270N.exe
-
Size
3.2MB
-
Sample
240821-kt49watckk
-
MD5
b8ed07544ff8e68585ffb4b9fd228270
-
SHA1
5e26c89fcdb65c607029a2a9526312cffcaa72fd
-
SHA256
263c246b7cb21d175f77d324c0047087e7f14d5039388b97d0037e763a70fd72
-
SHA512
c9dc698ee10cb1cf2ad28a3a75e150f56e4bd3604f3c7f86db34e8ac8bb217f28313834ae7ea1ed1652e68844dfa1bfb854cc67aba13acadbac319f8e1efa907
-
SSDEEP
49152:ucyMVrv/5Dvb3DLhMVRRL14mzZkHiK6jcyMVrv/5Dvb3DLhMVRRL14mzZkHiK6:u0lb3fhMVeH6j0lb3fhMVeH6
Malware Config
Extracted
warzonerat
victorybelng.ddns.net:13900
Targets
-
-
Target
b8ed07544ff8e68585ffb4b9fd228270N.exe
-
Size
3.2MB
-
MD5
b8ed07544ff8e68585ffb4b9fd228270
-
SHA1
5e26c89fcdb65c607029a2a9526312cffcaa72fd
-
SHA256
263c246b7cb21d175f77d324c0047087e7f14d5039388b97d0037e763a70fd72
-
SHA512
c9dc698ee10cb1cf2ad28a3a75e150f56e4bd3604f3c7f86db34e8ac8bb217f28313834ae7ea1ed1652e68844dfa1bfb854cc67aba13acadbac319f8e1efa907
-
SSDEEP
49152:ucyMVrv/5Dvb3DLhMVRRL14mzZkHiK6jcyMVrv/5Dvb3DLhMVRRL14mzZkHiK6:u0lb3fhMVeH6j0lb3fhMVeH6
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1