warzonerat | 5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6 | Triage

Submit
Reports

Overview

overview

Static

static

5d597c9d90...c6.exe

windows7_x64

5d597c9d90...c6.exe

windows10_x64

Sharing

General

Target

5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6
Size

1.8MB
Sample

210516-39zxfpr4ys
MD5

bd446939da29c3ec6450c05da7ad5db5
SHA1

3a80891a8262beb59976fcad4cb12f2e183619bc
SHA256

5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6
SHA512

23c1ccb734415590aaeb10d3886c92394fd4780c57a4991123b040ed15fffc9d5dc6effea7536671eb694641db135bdce29615f48ee6a73575da158539d1bf3b

Score

10^/10

warzonerat evasion infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe

Resource

win7v20210410

warzonerat evasion infostealer persistence rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe

Resource

win10v20210408

warzonerat evasion infostealer persistence rat

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6
- Size
  
  1.8MB
- MD5
  
  bd446939da29c3ec6450c05da7ad5db5
- SHA1
  
  3a80891a8262beb59976fcad4cb12f2e183619bc
- SHA256
  
  5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6
- SHA512
  
  23c1ccb734415590aaeb10d3886c92394fd4780c57a4991123b040ed15fffc9d5dc6effea7536671eb694641db135bdce29615f48ee6a73575da158539d1bf3b
Score

10^/10

warzonerat evasion infostealer persistence rat
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT Payload
  rat
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratevasioninfostealerpersistencerat

behavioral2

warzoneratevasioninfostealerpersistencerat

© 2018-2024

Terms | Privacy