General

  • Target

    542b8bf660fe5beb72db63f56bce5f9f12d47d5aae086da1421830f0cc9220a5

  • Size

    8.9MB

  • Sample

    241123-2f2ehawnhr

  • MD5

    b2110d7e99ac22547b8b83c4fb3b0c3a

  • SHA1

    33f621610c56e3e521ff2440b2c1a3830b605302

  • SHA256

    542b8bf660fe5beb72db63f56bce5f9f12d47d5aae086da1421830f0cc9220a5

  • SHA512

    20a8b1cf33a67a77917a01fe0f96a42c5ba447d787ea11e1db6cf1e8cce9c187518da7cdf1fcc5c86e3073e1a85d1218c58c35a78b2e57140b4d496c356d86bc

  • SSDEEP

    49152:K1XP6rPbNechC0bNechC0bNecIC0bNechC0bNechC0bNecT:K1+8e8e8f8e8e8G

Malware Config

Targets

    • Target

      542b8bf660fe5beb72db63f56bce5f9f12d47d5aae086da1421830f0cc9220a5

    • Size

      8.9MB

    • MD5

      b2110d7e99ac22547b8b83c4fb3b0c3a

    • SHA1

      33f621610c56e3e521ff2440b2c1a3830b605302

    • SHA256

      542b8bf660fe5beb72db63f56bce5f9f12d47d5aae086da1421830f0cc9220a5

    • SHA512

      20a8b1cf33a67a77917a01fe0f96a42c5ba447d787ea11e1db6cf1e8cce9c187518da7cdf1fcc5c86e3073e1a85d1218c58c35a78b2e57140b4d496c356d86bc

    • SSDEEP

      49152:K1XP6rPbNechC0bNechC0bNecIC0bNechC0bNechC0bNecT:K1+8e8e8f8e8e8G

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzonerat family

    • Warzone RAT payload

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks