General
-
Target
6698fe875a92b99512b43d571b2f6d9277c470a97851a32425351027526181a4N
-
Size
1.8MB
-
Sample
240919-cywjjawfkr
-
MD5
aa0bb78422fa6f729b6aefcd527a27c0
-
SHA1
a861ae8fb76e90bdb44e7164fce782372d6011ad
-
SHA256
6698fe875a92b99512b43d571b2f6d9277c470a97851a32425351027526181a4
-
SHA512
6674a05dd28fed720dc8003125c9a464d5fd158a3b30d1db92dc9540275c9f686cf7f0dce89ad337f62eeb4f0c03856ac8609a57046ecdc811039e342c8fd25c
-
SSDEEP
12288:aq9MIJRSuKZhbnap2c7+wE6/tugWnlwGCbbFc576tA7W2FeDSIGVH/KIDgDgUeHO:atIzcbax3tug/BUQDbGV6eH8tke
Malware Config
Targets
-
-
Target
6698fe875a92b99512b43d571b2f6d9277c470a97851a32425351027526181a4N
-
Size
1.8MB
-
MD5
aa0bb78422fa6f729b6aefcd527a27c0
-
SHA1
a861ae8fb76e90bdb44e7164fce782372d6011ad
-
SHA256
6698fe875a92b99512b43d571b2f6d9277c470a97851a32425351027526181a4
-
SHA512
6674a05dd28fed720dc8003125c9a464d5fd158a3b30d1db92dc9540275c9f686cf7f0dce89ad337f62eeb4f0c03856ac8609a57046ecdc811039e342c8fd25c
-
SSDEEP
12288:aq9MIJRSuKZhbnap2c7+wE6/tugWnlwGCbbFc576tA7W2FeDSIGVH/KIDgDgUeHO:atIzcbax3tug/BUQDbGV6eH8tke
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4