warzonerat | 98cf9b180f49331bc9c5a5eae9257f083e7b9601819191e9414dc7a76321592f | Triage

Submit
Reports

Overview

overview

Static

static

new order.exe

windows7_x64

new order.exe

windows10_x64

Sharing

General

Target

new order.exe
Size

1.5MB
Sample

210118-bl18sbzzaa
MD5

2e49841fc82760ecebfa5b6f0342366a
SHA1

3c18902d82ecfa56c4cfff84954fa116ce249935
SHA256

98cf9b180f49331bc9c5a5eae9257f083e7b9601819191e9414dc7a76321592f
SHA512

fab34aee9bd711df8d02e1623ea63a5a3253e6ec4846503d10f2a8157b18dda6b21fa440989b34f422121e78f05f8f06096421eba41fb20c59ccbf44de7eb4da

Score

10^/10

warzonerat infostealer persistence rat spyware

Static task

static1

Behavioral task

behavioral1

Sample

new order.exe

Resource

win7v20201028

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

new order.exe

Resource

win10v20201028

warzonerat infostealer persistence rat spyware

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

warzonerat

C2

mykassa.zapto.org:5200

Targets

- Target
  
  new order.exe
- Size
  
  1.5MB
- MD5
  
  2e49841fc82760ecebfa5b6f0342366a
- SHA1
  
  3c18902d82ecfa56c4cfff84954fa116ce249935
- SHA256
  
  98cf9b180f49331bc9c5a5eae9257f083e7b9601819191e9414dc7a76321592f
- SHA512
  
  fab34aee9bd711df8d02e1623ea63a5a3253e6ec4846503d10f2a8157b18dda6b21fa440989b34f422121e78f05f8f06096421eba41fb20c59ccbf44de7eb4da
Score

10^/10

persistence warzonerat infostealer rat spyware
- Modifies WinLogon for persistence
  persistence
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT Payload
  rat
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

warzoneratinfostealerpersistenceratspyware

© 2018-2024

Terms | Privacy