warzonerat | dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45 | Triage

Submit
Reports

Overview

overview

Static

static

dd3bfcb4d3...45.exe

windows7_x64

dd3bfcb4d3...45.exe

windows10_x64

Sharing

General

Target

dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45
Size

1.8MB
Sample

210504-heh3nzykhx
MD5

c1ad5f2ef3adc0df53f806aae1b0429b
SHA1

2f132de302815f8eb4d5b0595d15c3728144d84a
SHA256

dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45
SHA512

7c0013dddb9bb01ea2bc0a72492e2df754c9a6ca9b08eb3a7171eb79a3e090107503947ded8dd92f9143719b2b9f3facabaab4bd39a7e5ab476ad5232c658d96

Score

10^/10

warzonerat evasion infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe

Resource

win7v20210408

warzonerat evasion infostealer persistence rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe

Resource

win10v20210410

warzonerat evasion infostealer persistence rat

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45
- Size
  
  1.8MB
- MD5
  
  c1ad5f2ef3adc0df53f806aae1b0429b
- SHA1
  
  2f132de302815f8eb4d5b0595d15c3728144d84a
- SHA256
  
  dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45
- SHA512
  
  7c0013dddb9bb01ea2bc0a72492e2df754c9a6ca9b08eb3a7171eb79a3e090107503947ded8dd92f9143719b2b9f3facabaab4bd39a7e5ab476ad5232c658d96
Score

10^/10

warzonerat evasion infostealer persistence rat
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT Payload
  rat
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratevasioninfostealerpersistencerat

behavioral2

warzoneratevasioninfostealerpersistencerat

© 2018-2024

Terms | Privacy