General

  • Target

    6cdef6c5e0396ee0f18b90a30ff5282244775703f86e68117832e266aace0deb

  • Size

    4.5MB

  • Sample

    241020-24qynswajf

  • MD5

    94ba925f69f9d7ab4a3f874b6eff90c1

  • SHA1

    3cec33432aeea95c912ad2cc249844c7f9a05c58

  • SHA256

    6cdef6c5e0396ee0f18b90a30ff5282244775703f86e68117832e266aace0deb

  • SHA512

    c61f11924c8bdc2abe9ab250a7265f98e0f06dedbefccbf1c46775b362e6f78cb78172d5b33003864ea18d50b4931eb348e828e38ff8da193411bb2f7c167ca4

  • SSDEEP

    24576:K1gg4CppEI6GGfWDkOQDbGV6eH8tkxIbGD2JTu0GoWQDbGV6eH8tkxIbGD2JTu0H:K1XP6rPbNechC0bNechC0bNecF

Malware Config

Targets

    • Target

      6cdef6c5e0396ee0f18b90a30ff5282244775703f86e68117832e266aace0deb

    • Size

      4.5MB

    • MD5

      94ba925f69f9d7ab4a3f874b6eff90c1

    • SHA1

      3cec33432aeea95c912ad2cc249844c7f9a05c58

    • SHA256

      6cdef6c5e0396ee0f18b90a30ff5282244775703f86e68117832e266aace0deb

    • SHA512

      c61f11924c8bdc2abe9ab250a7265f98e0f06dedbefccbf1c46775b362e6f78cb78172d5b33003864ea18d50b4931eb348e828e38ff8da193411bb2f7c167ca4

    • SSDEEP

      24576:K1gg4CppEI6GGfWDkOQDbGV6eH8tkxIbGD2JTu0GoWQDbGV6eH8tkxIbGD2JTu0H:K1XP6rPbNechC0bNechC0bNecF

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks