General
-
Target
8dacf8a0cb1ff462e9b6836a6c21460856500bbdb177a12c078adf40c1d4bbbdN.exe
-
Size
2.9MB
-
Sample
250101-v1zcbaxmgj
-
MD5
040b375855ea5ace05bcf21700b4a4d0
-
SHA1
37fddea16f6f496dff7bf28fdd74864846bb1db6
-
SHA256
8dacf8a0cb1ff462e9b6836a6c21460856500bbdb177a12c078adf40c1d4bbbd
-
SHA512
e00191bad024e2bc2d971b85ba7a775ef31d7c5aa36a26fd9313ce64a2a8765eb9785a2c4b44e1e4ed75690116ca3a90b68307c61c1d1d9f83eb0d997727fbda
-
SSDEEP
24576:7v97AXmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHc:7v97AXmw4gxeOw46fUbNecCCFbNecN
Malware Config
Targets
-
-
Target
8dacf8a0cb1ff462e9b6836a6c21460856500bbdb177a12c078adf40c1d4bbbdN.exe
-
Size
2.9MB
-
MD5
040b375855ea5ace05bcf21700b4a4d0
-
SHA1
37fddea16f6f496dff7bf28fdd74864846bb1db6
-
SHA256
8dacf8a0cb1ff462e9b6836a6c21460856500bbdb177a12c078adf40c1d4bbbd
-
SHA512
e00191bad024e2bc2d971b85ba7a775ef31d7c5aa36a26fd9313ce64a2a8765eb9785a2c4b44e1e4ed75690116ca3a90b68307c61c1d1d9f83eb0d997727fbda
-
SSDEEP
24576:7v97AXmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHc:7v97AXmw4gxeOw46fUbNecCCFbNecN
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Warzone RAT payload
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4