warzonerat | 3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b | Triage

Sharing

General

Target

3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b
Size

375KB
Sample

210114-fm8etaap9s
MD5

dbfa10be9e078d321c708bcd38bbebf0
SHA1

66e50bbf28ce0f776acb439bb218a115e3451738
SHA256

3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b
SHA512

d9d2df5b3e8ba720f0202447c7ae505db5c65ca702565512cc15b618846d86674b13eb7166881917a9dbaa01cd18b0fd117a47f09ce25474ce2a9f14d26d3144

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Targets

- Target
  
  3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b
- Size
  
  375KB
- MD5
  
  dbfa10be9e078d321c708bcd38bbebf0
- SHA1
  
  66e50bbf28ce0f776acb439bb218a115e3451738
- SHA256
  
  3f5c8c35ce923eec70e2e2638bef39ff55866ccf5ceaed62999e5376d598f30b
- SHA512
  
  d9d2df5b3e8ba720f0202447c7ae505db5c65ca702565512cc15b618846d86674b13eb7166881917a9dbaa01cd18b0fd117a47f09ce25474ce2a9f14d26d3144
Score

10^/10

warzonerat infostealer persistence rat
- Modifies WinLogon for persistence
  persistence
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratinfostealerpersistencerat

behavioral2

warzoneratinfostealerpersistencerat