Overview

overview

10

Static

static

10

c070befbab...be.exe

windows7_x64

c070befbab...be.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c070befbab91e5d52892b6d13c3394f55d75748a3608e88e5cf0e720f447f4be

  • Size

    1.8MB

  • Sample

    210518-x15je8ffee

  • MD5

    7186adff1169eb88d46293c434eedb29

  • SHA1

    7fa9e8b065fe5b57010e846cd0f353e15868d540

  • SHA256

    c070befbab91e5d52892b6d13c3394f55d75748a3608e88e5cf0e720f447f4be

  • SHA512

    67cc33b0938863bf93335f52ed1d2edb0b8bd5be8b6d25203750ed04e716bb5529a4372e02466008740fce68dbfdcbb3ba047e1c18e8b2d66383b9925d3dadf8

Score
10/10
warzoneratevasioninfostealerpersistencerat

Malware Config

Targets

    • Target

      c070befbab91e5d52892b6d13c3394f55d75748a3608e88e5cf0e720f447f4be

    • Size

      1.8MB

    • MD5

      7186adff1169eb88d46293c434eedb29

    • SHA1

      7fa9e8b065fe5b57010e846cd0f353e15868d540

    • SHA256

      c070befbab91e5d52892b6d13c3394f55d75748a3608e88e5cf0e720f447f4be

    • SHA512

      67cc33b0938863bf93335f52ed1d2edb0b8bd5be8b6d25203750ed04e716bb5529a4372e02466008740fce68dbfdcbb3ba047e1c18e8b2d66383b9925d3dadf8

    Score
    10/10
    warzoneratevasioninfostealerpersistencerat

    • Modifies WinLogon for persistence

      persistence

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Executes dropped EXE

    • Modifies Installed Components in the registry

      persistence

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks