General
-
Target
3befba00652b8af76c54697b90ea8bd0N.exe
-
Size
1.6MB
-
Sample
240823-bgh2faxdmc
-
MD5
3befba00652b8af76c54697b90ea8bd0
-
SHA1
29045d47a35f6c366ca8c65df1b0dfc71e41ffec
-
SHA256
a1fd5ae5989fa99ba73480ff52a26a61023f11b183c2a45a865462195dd00385
-
SHA512
44b9ab5a34e2e8e8f02bc3328df7207dbafb36b85796253d6c6068acd376608949364386b9ba3555dfc3e047b419eb8cdcc36f7bf9f14dea63b3bb5ef2041c4c
-
SSDEEP
24576:qcq4JatYjB4MVddvtd5DhNmEaWLDs2hM3l5CMR1d1zQFmE2py7Ok394atJqK6p:qcyMVrv/5Dvb3DLhMVRRL14mzZkHiK6
Malware Config
Targets
-
-
Target
3befba00652b8af76c54697b90ea8bd0N.exe
-
Size
1.6MB
-
MD5
3befba00652b8af76c54697b90ea8bd0
-
SHA1
29045d47a35f6c366ca8c65df1b0dfc71e41ffec
-
SHA256
a1fd5ae5989fa99ba73480ff52a26a61023f11b183c2a45a865462195dd00385
-
SHA512
44b9ab5a34e2e8e8f02bc3328df7207dbafb36b85796253d6c6068acd376608949364386b9ba3555dfc3e047b419eb8cdcc36f7bf9f14dea63b3bb5ef2041c4c
-
SSDEEP
24576:qcq4JatYjB4MVddvtd5DhNmEaWLDs2hM3l5CMR1d1zQFmE2py7Ok394atJqK6p:qcyMVrv/5Dvb3DLhMVRRL14mzZkHiK6
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1