skuld | a5b3e8a7c2cace998612199ffdfda738d3107ebafc810219c1a648467cefcb05 | Triage

Sharing

General

Target

EzFN-Manager.exe
Size

10.5MB
Sample

241029-rfnhjavmaz
MD5

e528490c86b7bbd42cee5eb2ec1dcaa0
SHA1

758ea1f40317648d9c0eb6f3540158bdbc1860a4
SHA256

a5b3e8a7c2cace998612199ffdfda738d3107ebafc810219c1a648467cefcb05
SHA512

fce546b12944c6b08c016532a6f49fdb5d45412025de2600a59079f29323bb2732d756f802999a3fb46e84e52dd93c1c2acdde59a9feaf102546455976f41863
SSDEEP

196608:HxmZUWfcvgWCpS1rpAcfBSOfMJiNbguUhFk7668rH55oHG:HwG0WCyrpAcfzf9bgT4xc5+G

Score

10^/10

skuld warzonerat discovery execution infostealer persistence rat stealer

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1300556355329064961/Hr5z2jCS3WJ6i3lLNX9pH7AY6YULSkQlBDytwIn6WghzluB2Q148Zrb2fym379REnDEw

Extracted

Family

warzonerat

C2

admin345-58584.portmap.host:58584

Targets

- Target
  
  EzFN-Manager.exe
- Size
  
  10.5MB
- MD5
  
  e528490c86b7bbd42cee5eb2ec1dcaa0
- SHA1
  
  758ea1f40317648d9c0eb6f3540158bdbc1860a4
- SHA256
  
  a5b3e8a7c2cace998612199ffdfda738d3107ebafc810219c1a648467cefcb05
- SHA512
  
  fce546b12944c6b08c016532a6f49fdb5d45412025de2600a59079f29323bb2732d756f802999a3fb46e84e52dd93c1c2acdde59a9feaf102546455976f41863
- SSDEEP
  
  196608:HxmZUWfcvgWCpS1rpAcfBSOfMJiNbguUhFk7668rH55oHG:HwG0WCyrpAcfzf9bgT4xc5+G
Score

10^/10

skuld warzonerat discovery execution infostealer persistence rat stealer
- Skuld family
  skuld
- Skuld stealer
  An info stealer written in Go lang.
  stealer skuld
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzonerat family
  warzonerat
- Warzone RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

skuldwarzoneratdiscoveryexecutioninfostealerpersistenceratstealer

behavioral2

warzoneratdiscoveryexecutioninfostealerpersistencerat