warzonerat | ebcb061131ca2a3704db979a2fe8c9f42f653262365a2e981b6b38e0085e0e01 | Triage

Submit
Reports

Overview

overview

Static

static

ebcb061131...01.exe

windows7_x64

ebcb061131...01.exe

windows10_x64

Sharing

General

Target

ebcb061131ca2a3704db979a2fe8c9f42f653262365a2e981b6b38e0085e0e01
Size

5.9MB
Sample

210228-ykh95fwhmj
MD5

b76397cc87272fa87623b28045474e0e
SHA1

4cb58602ab54d3dd406a6e1af1439d71df12d44c
SHA256

ebcb061131ca2a3704db979a2fe8c9f42f653262365a2e981b6b38e0085e0e01
SHA512

f195508f460d68031468b327bfaa620c1762a63cc61bc3731a5a9ccaa5646171b613a06e16f7001709d9facab90a016281ff9e749753a16b63b5a312c235dc79

Score

10^/10

warzonerat xmrig evasion infostealer miner persistence rat upx

Static task

static1

rat upx warzonerat

Behavioral task

behavioral1

Sample

ebcb061131ca2a3704db979a2fe8c9f42f653262365a2e981b6b38e0085e0e01.exe

Resource

win7v20201028

warzonerat xmrig evasion infostealer miner persistence rat upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

ebcb061131ca2a3704db979a2fe8c9f42f653262365a2e981b6b38e0085e0e01.exe

Resource

win10v20201028

warzonerat xmrig evasion infostealer miner persistence rat upx

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  ebcb061131ca2a3704db979a2fe8c9f42f653262365a2e981b6b38e0085e0e01
- Size
  
  5.9MB
- MD5
  
  b76397cc87272fa87623b28045474e0e
- SHA1
  
  4cb58602ab54d3dd406a6e1af1439d71df12d44c
- SHA256
  
  ebcb061131ca2a3704db979a2fe8c9f42f653262365a2e981b6b38e0085e0e01
- SHA512
  
  f195508f460d68031468b327bfaa620c1762a63cc61bc3731a5a9ccaa5646171b613a06e16f7001709d9facab90a016281ff9e749753a16b63b5a312c235dc79
Score

10^/10

warzonerat xmrig evasion infostealer miner persistence rat upx
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Warzone RAT Payload
  rat
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

ratupxwarzonerat

behavioral1

warzoneratxmrigevasioninfostealerminerpersistenceratupx

behavioral2

warzoneratxmrigevasioninfostealerminerpersistenceratupx

© 2018-2024

Terms | Privacy