warzonerat | adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052 | Triage

Submit
Reports

Overview

overview

Static

static

adff9b172f...52.exe

windows7_x64

adff9b172f...52.exe

windows10_x64

Sharing

General

Target

adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052
Size

1.8MB
Sample

210505-9x9gpx39as
MD5

c2c72d0ce1e2b4aa824b3b11209e20c6
SHA1

535479e17340b248724de24bfd385c5739bbcac0
SHA256

adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052
SHA512

a64a7b2c9092501e32b7bcdbc779c178a33af187639e34b14dd3e9c60a5e60929c049ed41614c5d63673b9c584803f459921d54d026bbbe2f76a8d9884744a04

Score

10^/10

warzonerat evasion infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe

Resource

win7v20210408

warzonerat evasion infostealer persistence rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe

Resource

win10v20210410

warzonerat evasion infostealer persistence rat

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052
- Size
  
  1.8MB
- MD5
  
  c2c72d0ce1e2b4aa824b3b11209e20c6
- SHA1
  
  535479e17340b248724de24bfd385c5739bbcac0
- SHA256
  
  adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052
- SHA512
  
  a64a7b2c9092501e32b7bcdbc779c178a33af187639e34b14dd3e9c60a5e60929c049ed41614c5d63673b9c584803f459921d54d026bbbe2f76a8d9884744a04
Score

10^/10

warzonerat evasion infostealer persistence rat
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT Payload
  rat
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratevasioninfostealerpersistencerat

behavioral2

warzoneratevasioninfostealerpersistencerat

© 2018-2024

Terms | Privacy