General

  • Target

    617546d49d79d5b574c832ab13cbae0f2da1b77db907814c90dd766a4c9c6179

  • Size

    1.8MB

  • Sample

    241220-awh5bavjey

  • MD5

    6926365f2530df4137a481477d0068a5

  • SHA1

    dcb4bd3cc01cd5896a2880262d44c73d0b25739c

  • SHA256

    617546d49d79d5b574c832ab13cbae0f2da1b77db907814c90dd766a4c9c6179

  • SHA512

    243595cdc75cbf9c18ea10738f9fcb37ea34456a01cdbd034ed5513a2577148a279974f81a17c68435fee2ad8e246a9f0bebeca2919e5c3ab60c3c88d61c7219

  • SSDEEP

    12288:Q99Vbpgx4OuE+aCpBPY0PkI686WNUfWO6yuXzT5SPlSG9dA7W2FeDSIGVH/KIDgc:k1gg4CppEI6GGfWDkMQDbGV6eH8tkR

Malware Config

Targets

    • Target

      617546d49d79d5b574c832ab13cbae0f2da1b77db907814c90dd766a4c9c6179

    • Size

      1.8MB

    • MD5

      6926365f2530df4137a481477d0068a5

    • SHA1

      dcb4bd3cc01cd5896a2880262d44c73d0b25739c

    • SHA256

      617546d49d79d5b574c832ab13cbae0f2da1b77db907814c90dd766a4c9c6179

    • SHA512

      243595cdc75cbf9c18ea10738f9fcb37ea34456a01cdbd034ed5513a2577148a279974f81a17c68435fee2ad8e246a9f0bebeca2919e5c3ab60c3c88d61c7219

    • SSDEEP

      12288:Q99Vbpgx4OuE+aCpBPY0PkI686WNUfWO6yuXzT5SPlSG9dA7W2FeDSIGVH/KIDgc:k1gg4CppEI6GGfWDkMQDbGV6eH8tkR

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzonerat family

    • Warzone RAT payload

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks