warzonerat | 39fb1a47b9dd909768be83b9e05f2c883dc20f43397cc5bfa772268a1c61bd5d | Triage

Submit
Reports

Overview

overview

Static

static

new.bin.exe

windows7_x64

new.bin.exe

windows10_x64

Resubmissions

17-07-2021 08:51

210717-pb9y65dfpe 10

05-11-2020 03:55

201105-tr1wdy5fgn 10

Sharing

General

Target

new.bin.zip
Size

269KB
Sample

201105-tr1wdy5fgn
MD5

2acf48abf989898d6bcf8dddfd8d621d
SHA1

a9a468bb3740b868b80330f5849d11ca2803660d
SHA256

39fb1a47b9dd909768be83b9e05f2c883dc20f43397cc5bfa772268a1c61bd5d
SHA512

64864371ea613fc48c2c29252956c86010c65327bc3225d0150ccc3504d8e7016429cebbe8fd8f91732d15b0c2c10da71b0ebe4cc1150d887c80cf54588d5460

Score

10^/10

warzonerat infostealer persistence rat spyware

Static task

static1

Behavioral task

behavioral1

Sample

new.bin.exe

Resource

win7v20201028

warzonerat infostealer persistence rat spyware

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

new.bin.exe

Resource

win10v20201028

warzonerat infostealer persistence rat spyware

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  new.bin
- Size
  
  1.6MB
- MD5
  
  40e3805e5cad44b618fd0656ec933c9c
- SHA1
  
  ae638966794b68432c4fcc78acc0ac3375f9a842
- SHA256
  
  7dd1dba508f4b74d50a22f41f0efe3ff4bc30339e9eef45d390d32de2aa2ca2b
- SHA512
  
  97c8388ccdc0af8945c241133cfb0953359ccbc476e516bd555fa94f0f4348dc27832af4ab8334f9559caeda0c090edd6596e7b9ee0fcd5aefb89721bc7257ef
Score

10^/10

warzonerat infostealer persistence rat spyware
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- ServiceHost packer
  Detects ServiceHost packer used for .NET malware
- Warzone RAT Payload
  rat
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- JavaScript code in executable
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Modifies service
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Modify Existing Service

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratinfostealerpersistenceratspyware

behavioral2

warzoneratinfostealerpersistenceratspyware

© 2018-2024

Terms | Privacy