General
-
Target
f6e87fb34289886533ec31c35176532715b24660dc4bed371afed502076f22f6
-
Size
1.6MB
-
Sample
240922-rjhrfstcjh
-
MD5
efc4e0538ae7ac8e0fa4ee802eb8e14b
-
SHA1
bd366c8231c616c3d4f08c7e96de03becf6051a5
-
SHA256
f6e87fb34289886533ec31c35176532715b24660dc4bed371afed502076f22f6
-
SHA512
850ce59c93e8379162cbd96e68618a4f2264520cff705362d8ce972acf2db7936837d0eaf1e6cb5a1e86bf0265f6bf9b3ca09a68168c6007e57868e30186986c
-
SSDEEP
49152:Rvm4e8xyQ6i6TvvAnHzl2xjxg2bRIzbbwrob:95xt6i67AnT2FgWR8wk
Malware Config
Targets
-
-
Target
40
-
Size
2.7MB
-
MD5
8c8ba1826ba6aa186205ee0c0c26c11b
-
SHA1
0f47a429a527afecc785419191931e75d241c865
-
SHA256
48a21129f65cb76b43e36c11e1ab28fec2a1b9c8cc4c84fbb0bb9bc14e205dcf
-
SHA512
50f213abe257a0483c67d9acba6026044e05250cfbad3d9dece901ec51b759b289dd37263e9ab5350a78af3999c2961489900430348baf9a215ac97a0774dd38
-
SSDEEP
24576:ssF6mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH811:fF6mw4gxeOw46fUbNecCCFbNecD
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4