warzonerat | 509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647 | Triage

Submit
Reports

Overview

overview

Static

static

509fb9cf94...47.exe

windows7_x64

509fb9cf94...47.exe

windows10_x64

Sharing

General

Target

509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647
Size

1.8MB
Sample

210504-a6aeffwq66
MD5

c751650a93ae7535b12bd544e878cb92
SHA1

0b73c8c183250ea62d5c076a3740dd4ba3987fe6
SHA256

509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647
SHA512

cd840ea9c8000e24d42f53077acf44c595578c3113efe23ef1e6b0a75e98d36fc9c521589225cd24fca91e9a8bde1280106f47901b3b2db3aa78ec164cd6cb40

Score

10^/10

warzonerat evasion infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe

Resource

win7v20210408

warzonerat evasion infostealer persistence rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe

Resource

win10v20210408

warzonerat evasion infostealer persistence rat

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647
- Size
  
  1.8MB
- MD5
  
  c751650a93ae7535b12bd544e878cb92
- SHA1
  
  0b73c8c183250ea62d5c076a3740dd4ba3987fe6
- SHA256
  
  509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647
- SHA512
  
  cd840ea9c8000e24d42f53077acf44c595578c3113efe23ef1e6b0a75e98d36fc9c521589225cd24fca91e9a8bde1280106f47901b3b2db3aa78ec164cd6cb40
Score

10^/10

warzonerat evasion infostealer persistence rat
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT Payload
  rat
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratevasioninfostealerpersistencerat

behavioral2

warzoneratevasioninfostealerpersistencerat

© 2018-2024

Terms | Privacy