General

  • Target

    EzFN-Manager.exe

  • Size

    10.5MB

  • Sample

    241029-rfnhjavmaz

  • MD5

    e528490c86b7bbd42cee5eb2ec1dcaa0

  • SHA1

    758ea1f40317648d9c0eb6f3540158bdbc1860a4

  • SHA256

    a5b3e8a7c2cace998612199ffdfda738d3107ebafc810219c1a648467cefcb05

  • SHA512

    fce546b12944c6b08c016532a6f49fdb5d45412025de2600a59079f29323bb2732d756f802999a3fb46e84e52dd93c1c2acdde59a9feaf102546455976f41863

  • SSDEEP

    196608:HxmZUWfcvgWCpS1rpAcfBSOfMJiNbguUhFk7668rH55oHG:HwG0WCyrpAcfzf9bgT4xc5+G

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1300556355329064961/Hr5z2jCS3WJ6i3lLNX9pH7AY6YULSkQlBDytwIn6WghzluB2Q148Zrb2fym379REnDEw

Extracted

Family

warzonerat

C2

admin345-58584.portmap.host:58584

Targets

    • Target

      EzFN-Manager.exe

    • Size

      10.5MB

    • MD5

      e528490c86b7bbd42cee5eb2ec1dcaa0

    • SHA1

      758ea1f40317648d9c0eb6f3540158bdbc1860a4

    • SHA256

      a5b3e8a7c2cace998612199ffdfda738d3107ebafc810219c1a648467cefcb05

    • SHA512

      fce546b12944c6b08c016532a6f49fdb5d45412025de2600a59079f29323bb2732d756f802999a3fb46e84e52dd93c1c2acdde59a9feaf102546455976f41863

    • SSDEEP

      196608:HxmZUWfcvgWCpS1rpAcfBSOfMJiNbguUhFk7668rH55oHG:HwG0WCyrpAcfzf9bgT4xc5+G

    • Skuld family

    • Skuld stealer

      An info stealer written in Go lang.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzonerat family

    • Warzone RAT payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks