warzonerat | 22bc4fcd0d7610e4618b52e33c5ee551319a4db77796c9e9e1f15d96510e9fa2 | Triage

Submit
Reports

Overview

overview

Static

static

Fedex.exe

windows7_x64

Fedex.exe

windows10_x64

Sharing

General

Target

Fedex.zip
Size

25KB
Sample

210401-ngye4eca6j
MD5

30e3b901503ac3fa8fe5a41dbdb2d28f
SHA1

daddb5b99387a0c35e3dfce25af5de6fbbfed943
SHA256

22bc4fcd0d7610e4618b52e33c5ee551319a4db77796c9e9e1f15d96510e9fa2
SHA512

76d4aff9a636df1c07b9e36af0235d9d8dea018742e5cfa52c203b5f7af51753a63e7162064a00ee0741d46e1533e81ce1965e41d8b754cf7d0d4d8f234f8eb9

Score

10^/10

warzonerat evasion infostealer persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Fedex.exe

Resource

win7v20201028

warzonerat evasion infostealer persistence rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Fedex.exe

Resource

win10v20201028

warzonerat evasion infostealer rat trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

warzonerat

C2

103.199.17.185:5200

Targets

- Target
  
  Fedex.exe
- Size
  
  57KB
- MD5
  
  6886a412048c05ed6a7e6cd4242727cf
- SHA1
  
  274723281c4348326ec4e44093a919676da49c2a
- SHA256
  
  7027f79dffddb7f5e3c6c9dc75616681f46d99adfb26663b90f9ced128c0ca74
- SHA512
  
  cf830d3704ac47cb4ffaa1d1d9947c1dc0cb687c370113c10d09a85c7c6861eed2b6c7cb241767eb9016df5fbf23348e88e2240589c2faf4a8b9a0f559bbb247
Score

10^/10

warzonerat evasion infostealer persistence rat spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Turns off Windows Defender SpyNet reporting
  evasion
- UAC bypass
  evasion trojan
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Windows security bypass
  evasion trojan
- Nirsoft
- Warzone RAT Payload
  rat
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Bypass User Account Control

Defense Evasion

Modify Registry

Disabling Security Tools

Bypass User Account Control

Install Root Certificate

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratevasioninfostealerpersistenceratspywarestealertrojan

behavioral2

warzoneratevasioninfostealerrattrojan

© 2018-2024

Terms | Privacy