warzonerat | ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30 | Triage

Submit
Reports

Overview

overview

Static

static

ad6b307bca...30.exe

windows7_x64

ad6b307bca...30.exe

windows10_x64

Sharing

General

Target

ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30
Size

1.8MB
Sample

210504-yghh7wkr7x
MD5

adeb4690226aef0af78119115ad3227b
SHA1

fab9eac25fd6b371fc236d4b6a38958d0ad06021
SHA256

ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30
SHA512

37e016c858bb77b7735c268aa314d9d87bb44ce98aa58076bd22cc174b271422d8aab0743238d94f7757683a0a9cfc3c3c59931baac8cc70e634b86bbea5fb48

Score

10^/10

warzonerat evasion infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe

Resource

win7v20210408

warzonerat evasion infostealer persistence rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe

Resource

win10v20210410

warzonerat evasion infostealer persistence rat

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30
- Size
  
  1.8MB
- MD5
  
  adeb4690226aef0af78119115ad3227b
- SHA1
  
  fab9eac25fd6b371fc236d4b6a38958d0ad06021
- SHA256
  
  ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30
- SHA512
  
  37e016c858bb77b7735c268aa314d9d87bb44ce98aa58076bd22cc174b271422d8aab0743238d94f7757683a0a9cfc3c3c59931baac8cc70e634b86bbea5fb48
Score

10^/10

warzonerat evasion infostealer persistence rat
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT Payload
  rat
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratevasioninfostealerpersistencerat

behavioral2

warzoneratevasioninfostealerpersistencerat

© 2018-2024

Terms | Privacy