General
-
Target
sample
-
Size
853KB
-
Sample
241231-xycrmsxkhr
-
MD5
611331d25778baebe45720a166ef491b
-
SHA1
6a8f22afb9ca7d8a5961a7b4f0fa45dd74133916
-
SHA256
b94104ac21bc902eea24079a507997e9cbfec4419db0c5dc6b5f647f01d014b4
-
SHA512
26cf43adfc80b6e1cfd5759fdda0f0052dd9b2958cd9f384a9b76761a586d79c6aa8b52f5779781f36c5f2a5465f2c3cddf78392685b9cb8bba8b76698ad26d3
-
SSDEEP
6144:g5qbCkxvcSrr+8rznFrZuXI0D006sZzomxbQGCpvkDaum7Im:PG8rqXK06sZzomxbQGCpvkDaumB
Malware Config
Targets
-
-
Target
sample
-
Size
853KB
-
MD5
611331d25778baebe45720a166ef491b
-
SHA1
6a8f22afb9ca7d8a5961a7b4f0fa45dd74133916
-
SHA256
b94104ac21bc902eea24079a507997e9cbfec4419db0c5dc6b5f647f01d014b4
-
SHA512
26cf43adfc80b6e1cfd5759fdda0f0052dd9b2958cd9f384a9b76761a586d79c6aa8b52f5779781f36c5f2a5465f2c3cddf78392685b9cb8bba8b76698ad26d3
-
SSDEEP
6144:g5qbCkxvcSrr+8rznFrZuXI0D006sZzomxbQGCpvkDaum7Im:PG8rqXK06sZzomxbQGCpvkDaumB
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Possible privilege escalation attempt
-
A potential corporate email address has been identified in the URL: currency-file@1
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Mark of the Web detected: This indicates that the page was originally saved or cloned.
-
Network Share Discovery
Attempt to gather information on host network.
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
2Subvert Trust Controls
2SIP and Trust Provider Hijacking
2Discovery
Browser Information Discovery
1Network Share Discovery
1Peripheral Device Discovery
1Query Registry
4System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1