General
-
Target
9280350802fc7660d4ac4668c54e700128e0963998c148f0e4a74ae2a5457dccN.exe
-
Size
1.8MB
-
Sample
250102-k7crsavnez
-
MD5
d4ea88937b6212c0c42f9994ffcebad0
-
SHA1
54ca6cf06ea17ec5948bd3533d1dde7fd8ce6b14
-
SHA256
9280350802fc7660d4ac4668c54e700128e0963998c148f0e4a74ae2a5457dcc
-
SHA512
74cd2d9657f538f88c74ed79dbe7c2c813be62c46d9bbccc35e1c83dcb83d936ae27c6d4a4f48689ca6897f621e795fde035d29f75aff2400bed856ed8054308
-
SSDEEP
12288:BUrjP8Xuc2UY0B8TIwDDMistJ6gicRzubSFJeOgTpBA7W2FeDSIGVH/KIDgDgUeh:ujjSYIUDJ86giGTPQDbGV6eH81kN
Malware Config
Targets
-
-
Target
9280350802fc7660d4ac4668c54e700128e0963998c148f0e4a74ae2a5457dccN.exe
-
Size
1.8MB
-
MD5
d4ea88937b6212c0c42f9994ffcebad0
-
SHA1
54ca6cf06ea17ec5948bd3533d1dde7fd8ce6b14
-
SHA256
9280350802fc7660d4ac4668c54e700128e0963998c148f0e4a74ae2a5457dcc
-
SHA512
74cd2d9657f538f88c74ed79dbe7c2c813be62c46d9bbccc35e1c83dcb83d936ae27c6d4a4f48689ca6897f621e795fde035d29f75aff2400bed856ed8054308
-
SSDEEP
12288:BUrjP8Xuc2UY0B8TIwDDMistJ6gicRzubSFJeOgTpBA7W2FeDSIGVH/KIDgDgUeh:ujjSYIUDJ86giGTPQDbGV6eH81kN
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Warzone RAT payload
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4