warzonerat | bc630e07cf99324ac65fb506e9d54bbd6d405887070604e00d98c52ba60d64c1 | Triage

Submit
Reports

Overview

overview

Static

static

bc630e07cf...c1.exe

windows7_x64

bc630e07cf...c1.exe

windows10_x64

Sharing

General

Target

bc630e07cf99324ac65fb506e9d54bbd6d405887070604e00d98c52ba60d64c1
Size

1.8MB
Sample

210505-b64gcx4m16
MD5

b78f5c47acef55129ff8d9862c477dcf
SHA1

4c8d602143a1a2fd5201ec4214cee155101e5911
SHA256

bc630e07cf99324ac65fb506e9d54bbd6d405887070604e00d98c52ba60d64c1
SHA512

d18d7a9999a9f50236efe551667dc9c6e226cfd6151a45d7712d980779599d9f5f81f74d97910b73f907e0ba54a85fb38fb5c489ac3cbbbaf49a39f7be28330e

Score

10^/10

warzonerat evasion infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

bc630e07cf99324ac65fb506e9d54bbd6d405887070604e00d98c52ba60d64c1.exe

Resource

win7v20210410

warzonerat infostealer persistence rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

bc630e07cf99324ac65fb506e9d54bbd6d405887070604e00d98c52ba60d64c1.exe

Resource

win10v20210410

warzonerat evasion infostealer persistence rat

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  bc630e07cf99324ac65fb506e9d54bbd6d405887070604e00d98c52ba60d64c1
- Size
  
  1.8MB
- MD5
  
  b78f5c47acef55129ff8d9862c477dcf
- SHA1
  
  4c8d602143a1a2fd5201ec4214cee155101e5911
- SHA256
  
  bc630e07cf99324ac65fb506e9d54bbd6d405887070604e00d98c52ba60d64c1
- SHA512
  
  d18d7a9999a9f50236efe551667dc9c6e226cfd6151a45d7712d980779599d9f5f81f74d97910b73f907e0ba54a85fb38fb5c489ac3cbbbaf49a39f7be28330e
Score

10^/10

warzonerat infostealer persistence rat evasion
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT Payload
  rat
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratinfostealerpersistencerat

behavioral2

warzoneratevasioninfostealerpersistencerat

© 2018-2024

Terms | Privacy