General
-
Target
20240821acda17bc5897342e6bfb4c813b1066b0avoslockerhijackloader
-
Size
3.6MB
-
Sample
240821-za862sygkh
-
MD5
acda17bc5897342e6bfb4c813b1066b0
-
SHA1
baafccbf70a9f809dd3ee285da7a6449137439e4
-
SHA256
a4419ef85c2eadde1ea4943e87fa34fb0a68b82745b0980b827b8864d9165854
-
SHA512
1bbdbfaba2c7be10688cd99a9e30a6e8ee7d552ea9a383ca54a1cc95f886ee247d0e38c90d94bb087db582a22f3fbb94fdcb4a7f5c6faf84733bb998e38d325c
-
SSDEEP
98304:XiUupNGhzkE7R+OU/jIEeQfoR/IuOFVjUu5:r+GhzkE7cFIF0wu
Malware Config
Extracted
warzonerat
victorybelng.ddns.net:13900
Targets
-
-
Target
20240821acda17bc5897342e6bfb4c813b1066b0avoslockerhijackloader
-
Size
3.6MB
-
MD5
acda17bc5897342e6bfb4c813b1066b0
-
SHA1
baafccbf70a9f809dd3ee285da7a6449137439e4
-
SHA256
a4419ef85c2eadde1ea4943e87fa34fb0a68b82745b0980b827b8864d9165854
-
SHA512
1bbdbfaba2c7be10688cd99a9e30a6e8ee7d552ea9a383ca54a1cc95f886ee247d0e38c90d94bb087db582a22f3fbb94fdcb4a7f5c6faf84733bb998e38d325c
-
SSDEEP
98304:XiUupNGhzkE7R+OU/jIEeQfoR/IuOFVjUu5:r+GhzkE7cFIF0wu
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1