General
-
Target
c3c3a6974e53d5509d3632631c77cd8f296e92986a5ec9bd86dcdae9ba49cb7eN
-
Size
2.9MB
-
Sample
241103-f11g2sypbl
-
MD5
62edf8717152c0b60f878acb1f9260d0
-
SHA1
1dbe4c41c2eb7e5265accc614f89062f83ec7bff
-
SHA256
c3c3a6974e53d5509d3632631c77cd8f296e92986a5ec9bd86dcdae9ba49cb7e
-
SHA512
4cac455f7546fd9af49dfdf4d720f5dc7322909ad69005cf3bf8972dc200b0f240da1f286e37265433b3bc22fedaca3bceead1723f96991da8f2364f9609f32c
-
SSDEEP
24576:7v97AXmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHq:7v97AXmw4gxeOw46fUbNecCCFbNec5
Malware Config
Targets
-
-
Target
c3c3a6974e53d5509d3632631c77cd8f296e92986a5ec9bd86dcdae9ba49cb7eN
-
Size
2.9MB
-
MD5
62edf8717152c0b60f878acb1f9260d0
-
SHA1
1dbe4c41c2eb7e5265accc614f89062f83ec7bff
-
SHA256
c3c3a6974e53d5509d3632631c77cd8f296e92986a5ec9bd86dcdae9ba49cb7e
-
SHA512
4cac455f7546fd9af49dfdf4d720f5dc7322909ad69005cf3bf8972dc200b0f240da1f286e37265433b3bc22fedaca3bceead1723f96991da8f2364f9609f32c
-
SSDEEP
24576:7v97AXmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHq:7v97AXmw4gxeOw46fUbNecCCFbNec5
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Warzone RAT payload
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4