warzonerat | 34ef4f8cfb814da5aeb5f3181301976e3622470fd9bfbfec8c016e7eed215d8f | Triage

Submit
Reports

Overview

overview

Static

static

1

PAYMENT CO...df.exe

windows7_x64

PAYMENT CO...df.exe

windows10_x64

Sharing

General

Target

PAYMENT COPY-20211106_pdf.exe
Size

308KB
Sample

210611-sxmkxsyvp2
MD5

c288afa652187f51cd8a51225403b371
SHA1

47da2c2d1f08cbdfa92576588f466b59da5645cb
SHA256

34ef4f8cfb814da5aeb5f3181301976e3622470fd9bfbfec8c016e7eed215d8f
SHA512

d1c0fbffa2523ba3f770034ce788597f37f7fab042c8d843219d4c053d0bf548e1562a24e6d7614285cafc329a5797f16b9b173eeb0f014f4ab81b43b677aac0

Score

10^/10

warzonerat infostealer persistence rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

PAYMENT COPY-20211106_pdf.exe

Resource

win7v20210408

warzonerat infostealer persistence rat spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PAYMENT COPY-20211106_pdf.exe

Resource

win10v20210408

warzonerat infostealer persistence rat spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

warzonerat

C2

103.155.83.189:1289

Targets

- Target
  
  PAYMENT COPY-20211106_pdf.exe
- Size
  
  308KB
- MD5
  
  c288afa652187f51cd8a51225403b371
- SHA1
  
  47da2c2d1f08cbdfa92576588f466b59da5645cb
- SHA256
  
  34ef4f8cfb814da5aeb5f3181301976e3622470fd9bfbfec8c016e7eed215d8f
- SHA512
  
  d1c0fbffa2523ba3f770034ce788597f37f7fab042c8d843219d4c053d0bf548e1562a24e6d7614285cafc329a5797f16b9b173eeb0f014f4ab81b43b677aac0
Score

10^/10

warzonerat infostealer persistence rat spyware stealer
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Sets DLL path for service in the registry
  persistence
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratinfostealerpersistenceratspywarestealer

behavioral2

warzoneratinfostealerpersistenceratspywarestealer

© 2018-2024

Terms | Privacy