General
-
Target
EzFN-Manager.exe
-
Size
10.5MB
-
Sample
241029-rfnhjavmaz
-
MD5
e528490c86b7bbd42cee5eb2ec1dcaa0
-
SHA1
758ea1f40317648d9c0eb6f3540158bdbc1860a4
-
SHA256
a5b3e8a7c2cace998612199ffdfda738d3107ebafc810219c1a648467cefcb05
-
SHA512
fce546b12944c6b08c016532a6f49fdb5d45412025de2600a59079f29323bb2732d756f802999a3fb46e84e52dd93c1c2acdde59a9feaf102546455976f41863
-
SSDEEP
196608:HxmZUWfcvgWCpS1rpAcfBSOfMJiNbguUhFk7668rH55oHG:HwG0WCyrpAcfzf9bgT4xc5+G
Static task
static1
Behavioral task
behavioral1
Sample
EzFN-Manager.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
EzFN-Manager.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
skuld
https://discord.com/api/webhooks/1300556355329064961/Hr5z2jCS3WJ6i3lLNX9pH7AY6YULSkQlBDytwIn6WghzluB2Q148Zrb2fym379REnDEw
Extracted
warzonerat
admin345-58584.portmap.host:58584
Targets
-
-
Target
EzFN-Manager.exe
-
Size
10.5MB
-
MD5
e528490c86b7bbd42cee5eb2ec1dcaa0
-
SHA1
758ea1f40317648d9c0eb6f3540158bdbc1860a4
-
SHA256
a5b3e8a7c2cace998612199ffdfda738d3107ebafc810219c1a648467cefcb05
-
SHA512
fce546b12944c6b08c016532a6f49fdb5d45412025de2600a59079f29323bb2732d756f802999a3fb46e84e52dd93c1c2acdde59a9feaf102546455976f41863
-
SSDEEP
196608:HxmZUWfcvgWCpS1rpAcfBSOfMJiNbguUhFk7668rH55oHG:HwG0WCyrpAcfzf9bgT4xc5+G
-
Skuld family
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Warzone RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1