warzonerat | dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5 | Triage

Submit
Reports

Overview

overview

Static

static

dba7c1179e...d5.exe

windows7_x64

dba7c1179e...d5.exe

windows10_x64

Sharing

General

Target

dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5
Size

3.2MB
Sample

210516-3hflbfc11j
MD5

b81e06b29c4e1058dd8755929a9a2d9e
SHA1

88fd34046f329f209023aa368f230e9b432e4291
SHA256

dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5
SHA512

b74cd3db0cc851e1dde6c36a6de32f3102439c788f398b90699ce47f92e7722f9b177838d739801ec19e991e17ceddfa0ff6ddfbb0525233281e9d091a5a2e53

Score

10^/10

warzonerat evasion infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe

Resource

win7v20210410

warzonerat evasion infostealer persistence rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe

Resource

win10v20210408

warzonerat evasion infostealer persistence rat

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5
- Size
  
  3.2MB
- MD5
  
  b81e06b29c4e1058dd8755929a9a2d9e
- SHA1
  
  88fd34046f329f209023aa368f230e9b432e4291
- SHA256
  
  dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5
- SHA512
  
  b74cd3db0cc851e1dde6c36a6de32f3102439c788f398b90699ce47f92e7722f9b177838d739801ec19e991e17ceddfa0ff6ddfbb0525233281e9d091a5a2e53
Score

10^/10

warzonerat evasion infostealer persistence rat
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT Payload
  rat
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratevasioninfostealerpersistencerat

behavioral2

warzoneratevasioninfostealerpersistencerat

© 2018-2024

Terms | Privacy