General
-
Target
59a6534d4a9ff99efac576f8c624a06a3a8e159e87d2a5a30624e50f27e223c2N
-
Size
1.8MB
-
Sample
241002-k42azayaqn
-
MD5
394ad9b4b65e1d392c9495fa66e5c230
-
SHA1
c8e68a61f37dd0d8fc6c44c13e462aa0aa47e4c7
-
SHA256
59a6534d4a9ff99efac576f8c624a06a3a8e159e87d2a5a30624e50f27e223c2
-
SHA512
4f4225683daa3030f6e2abcb4e226295199e0bb8b185b3a8c566c251d5cee8f3ee341a967e526eb8f779f636e7ce3463c86485d5026c2131f2d4f63a560ab3e3
-
SSDEEP
12288:aq9MIJRSuKZhbnap2c7+wE6/tugWnlwGCbbFc576tA7W2FeDSIGVH/KIDgDgUeHP:atIzcbax3tug/BUQDbGV6eH8tk/
Malware Config
Targets
-
-
Target
59a6534d4a9ff99efac576f8c624a06a3a8e159e87d2a5a30624e50f27e223c2N
-
Size
1.8MB
-
MD5
394ad9b4b65e1d392c9495fa66e5c230
-
SHA1
c8e68a61f37dd0d8fc6c44c13e462aa0aa47e4c7
-
SHA256
59a6534d4a9ff99efac576f8c624a06a3a8e159e87d2a5a30624e50f27e223c2
-
SHA512
4f4225683daa3030f6e2abcb4e226295199e0bb8b185b3a8c566c251d5cee8f3ee341a967e526eb8f779f636e7ce3463c86485d5026c2131f2d4f63a560ab3e3
-
SSDEEP
12288:aq9MIJRSuKZhbnap2c7+wE6/tugWnlwGCbbFc576tA7W2FeDSIGVH/KIDgDgUeHP:atIzcbax3tug/BUQDbGV6eH8tk/
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4