Overview

overview

10

Static

static

Symptomaticshon5.exe

windows7_x64

10

Symptomaticshon5.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Symptomaticshon5.exe

  • Size

    108KB

  • Sample

    210119-fjnrtjm89j

  • MD5

    09b6c8f169567f8557b2d96d9f6d3644

  • SHA1

    f37977654300daf97df6eea1235bac7ac706cc11

  • SHA256

    b6c1e3eff87deab0b2b41040d22f74c3d824bffbd161f7248f51f3640ac7b590

  • SHA512

    478839f9f93a4abb2d0e8e1c62f58c07839780631f1cdd8b288493967cdecf6e354603ad784f92e8b82425cb4868accdabb37f78cc6ea47d89ac5c1090fce5fa

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

185.239.242.145:4442

Targets

    • Target

      Symptomaticshon5.exe

    • Size

      108KB

    • MD5

      09b6c8f169567f8557b2d96d9f6d3644

    • SHA1

      f37977654300daf97df6eea1235bac7ac706cc11

    • SHA256

      b6c1e3eff87deab0b2b41040d22f74c3d824bffbd161f7248f51f3640ac7b590

    • SHA512

      478839f9f93a4abb2d0e8e1c62f58c07839780631f1cdd8b288493967cdecf6e354603ad784f92e8b82425cb4868accdabb37f78cc6ea47d89ac5c1090fce5fa

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks