General

  • Target

    29e275a4c269803e9a77aa7d35243d335aaabd1f5fd9e71a13adbd5876956415N

  • Size

    2.9MB

  • Sample

    241020-rpwv9svbqj

  • MD5

    242df407e4154033ba3a19853e56fa50

  • SHA1

    cdcd3279ff6ba17a93c063d04d9f06c4e6f031bc

  • SHA256

    29e275a4c269803e9a77aa7d35243d335aaabd1f5fd9e71a13adbd5876956415

  • SHA512

    7db027247d834c98e032f066fb0a8351d86553dd9db4510b2bc6bfa8c9d9d18996b07560960c8f26d2ce01764712d09e36d2960a42e1a8f7c2274f9c75031cfe

  • SSDEEP

    24576:7v97AXmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHI:7v97AXmw4gxeOw46fUbNecCCFbNecn

Malware Config

Targets

    • Target

      29e275a4c269803e9a77aa7d35243d335aaabd1f5fd9e71a13adbd5876956415N

    • Size

      2.9MB

    • MD5

      242df407e4154033ba3a19853e56fa50

    • SHA1

      cdcd3279ff6ba17a93c063d04d9f06c4e6f031bc

    • SHA256

      29e275a4c269803e9a77aa7d35243d335aaabd1f5fd9e71a13adbd5876956415

    • SHA512

      7db027247d834c98e032f066fb0a8351d86553dd9db4510b2bc6bfa8c9d9d18996b07560960c8f26d2ce01764712d09e36d2960a42e1a8f7c2274f9c75031cfe

    • SSDEEP

      24576:7v97AXmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHI:7v97AXmw4gxeOw46fUbNecCCFbNecn

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks