warzonerat | 3484c5363c5cec57c35318fd0ff2b306341998cf6b0277681e5131bd54c7443c | Triage

Submit
Reports

Overview

overview

Static

static

3484c5363c...3c.exe

windows7_x64

3484c5363c...3c.exe

windows10_x64

Sharing

General

Target

3484c5363c5cec57c35318fd0ff2b306341998cf6b0277681e5131bd54c7443c
Size

6.1MB
Sample

210228-avd2dgfz1a
MD5

b9a347ae47fc218b9d581d28cfdf2f02
SHA1

c5228f361b273aae8dbcead1a614be678402c446
SHA256

3484c5363c5cec57c35318fd0ff2b306341998cf6b0277681e5131bd54c7443c
SHA512

7ce6c11bef261392e5ec35037bc6c0c276aee2ef7c2193e9971eab29abd8b32e2ca3093d1ce1a4f0f26a8b14c43e9dbd5cd9ec03640dd0bc848d292363ab9dc0

Score

10^/10

warzonerat xmrig evasion infostealer miner persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

3484c5363c5cec57c35318fd0ff2b306341998cf6b0277681e5131bd54c7443c.exe

Resource

win7v20201028

warzonerat xmrig infostealer miner persistence rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

3484c5363c5cec57c35318fd0ff2b306341998cf6b0277681e5131bd54c7443c.exe

Resource

win10v20201028

warzonerat xmrig evasion infostealer miner persistence rat

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  3484c5363c5cec57c35318fd0ff2b306341998cf6b0277681e5131bd54c7443c
- Size
  
  6.1MB
- MD5
  
  b9a347ae47fc218b9d581d28cfdf2f02
- SHA1
  
  c5228f361b273aae8dbcead1a614be678402c446
- SHA256
  
  3484c5363c5cec57c35318fd0ff2b306341998cf6b0277681e5131bd54c7443c
- SHA512
  
  7ce6c11bef261392e5ec35037bc6c0c276aee2ef7c2193e9971eab29abd8b32e2ca3093d1ce1a4f0f26a8b14c43e9dbd5cd9ec03640dd0bc848d292363ab9dc0
Score

10^/10

warzonerat xmrig infostealer miner persistence rat evasion
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Warzone RAT Payload
  rat
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratxmriginfostealerminerpersistencerat

behavioral2

warzoneratxmrigevasioninfostealerminerpersistencerat

© 2018-2024

Terms | Privacy