warzonerat | f50e0cb0a3ea1ee41d812809b39b71470544dd0d366e8171d5a507e414d6a7df | Triage

Submit
Reports

Overview

overview

Static

static

Inquiry.doc

windows7_x64

Inquiry.doc

windows10_x64

Sharing

General

Target

Inquiry.doc
Size

368KB
Sample

210706-ewqergcfpa
MD5

bbf819de6c9330f25be537996b5fc2d3
SHA1

593968326a3b1d3ccd209c9983ede8d800e2cac4
SHA256

f50e0cb0a3ea1ee41d812809b39b71470544dd0d366e8171d5a507e414d6a7df
SHA512

f0acaa1bfbce631596854394caf1b27caa95e4508ff52d53ef5efaa65bbe7975f49bd24412fd50dbfe890e70dbc3d79563c454900f2df1d10702b0b252880e94

Score

10^/10

warzonerat infostealer persistence rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

Inquiry.doc

Resource

win7v20210410

warzonerat infostealer persistence rat spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Inquiry.doc

Resource

win10v20210410

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

httP://147.124.212.196/good.exe

Extracted

Family

warzonerat

C2

147.124.212.196:1111

Targets

- Target
  
  Inquiry.doc
- Size
  
  368KB
- MD5
  
  bbf819de6c9330f25be537996b5fc2d3
- SHA1
  
  593968326a3b1d3ccd209c9983ede8d800e2cac4
- SHA256
  
  f50e0cb0a3ea1ee41d812809b39b71470544dd0d366e8171d5a507e414d6a7df
- SHA512
  
  f0acaa1bfbce631596854394caf1b27caa95e4508ff52d53ef5efaa65bbe7975f49bd24412fd50dbfe890e70dbc3d79563c454900f2df1d10702b0b252880e94
Score

10^/10

warzonerat infostealer persistence rat spyware stealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Modifies WinLogon
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratinfostealerpersistenceratspywarestealer

behavioral2

© 2018-2024

Terms | Privacy