General
-
Target
f15fb3befd6ae12ea63e2b94814bc4e0N
-
Size
5.3MB
-
Sample
240826-fhx9zaxemm
-
MD5
f15fb3befd6ae12ea63e2b94814bc4e0
-
SHA1
daa33940a1ef60cb98ab36c61b9ffdeb30067014
-
SHA256
b40829a2679c70bd62334e4eb5357decff759fdc4c5f3427fbf59d236a83aff9
-
SHA512
5c032bc1f1451d02c04d5c1fcab14479ebf78c3491e2c2a81954ee7ae5ca7be6087b2da25c20d0d52ffe628894c31b9f362434f70aab29e5031f2039b1665f59
-
SSDEEP
98304:iiUupNGhzkE7RR/fh6ImzzJoDfuBcMv+A73XA:C+GhzkE7jHh6ImzD+F
Malware Config
Extracted
warzonerat
victorybelng.ddns.net:13900
Targets
-
-
Target
f15fb3befd6ae12ea63e2b94814bc4e0N
-
Size
5.3MB
-
MD5
f15fb3befd6ae12ea63e2b94814bc4e0
-
SHA1
daa33940a1ef60cb98ab36c61b9ffdeb30067014
-
SHA256
b40829a2679c70bd62334e4eb5357decff759fdc4c5f3427fbf59d236a83aff9
-
SHA512
5c032bc1f1451d02c04d5c1fcab14479ebf78c3491e2c2a81954ee7ae5ca7be6087b2da25c20d0d52ffe628894c31b9f362434f70aab29e5031f2039b1665f59
-
SSDEEP
98304:iiUupNGhzkE7RR/fh6ImzzJoDfuBcMv+A73XA:C+GhzkE7jHh6ImzD+F
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Suspicious Office macro
Office document equipped with macros.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1