Overview

overview

10

Static

static

10

9a825ee20f...39.exe

windows7_x64

10

9a825ee20f...39.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339

  • Size

    1.8MB

  • Sample

    210505-h4msede3je

  • MD5

    fd27da880372209151379289b0e57d11

  • SHA1

    9d9236804d7a0574ebff234bec1bea519497c27f

  • SHA256

    9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339

  • SHA512

    d69b43d30cefdf0255c96763f1e53469ff3c0b1dada711b606959616e7af0608fd4cdc6e4b86b2cf174fb856e6ab01f089d6bf295217f6966c8b2576b34c338d

Score
10/10
warzoneratevasioninfostealerpersistencerat

Malware Config

Targets

    • Target

      9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339

    • Size

      1.8MB

    • MD5

      fd27da880372209151379289b0e57d11

    • SHA1

      9d9236804d7a0574ebff234bec1bea519497c27f

    • SHA256

      9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339

    • SHA512

      d69b43d30cefdf0255c96763f1e53469ff3c0b1dada711b606959616e7af0608fd4cdc6e4b86b2cf174fb856e6ab01f089d6bf295217f6966c8b2576b34c338d

    Score
    10/10
    warzoneratevasioninfostealerpersistencerat

    • Modifies WinLogon for persistence

      persistence

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Executes dropped EXE

    • Modifies Installed Components in the registry

      persistence

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks