warzonerat | 90490e4bfcae318d0ee15e9d10bd23838dc0e7f9c16e4872bf58aad4b16fde88 | Triage

Sharing

General

Target

DLLclnbldwrz189r.zip
Size

380KB
Sample

210706-rxqnd7bqf6
MD5

8f3fe18381f494fe9b2a471f916ca301
SHA1

71bfeec8b1bb15e9b0e03fa98decf01a2263fcf1
SHA256

90490e4bfcae318d0ee15e9d10bd23838dc0e7f9c16e4872bf58aad4b16fde88
SHA512

e080102f72b4202f2fb07599aebfff8c67ed45215669b20ada4220fa98a445c4442130225c78d2da66dde3d78c5ebff6fe2bca89b2c5349d8ea3ea19ddb3c97f

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

officedesktop004018.webredirect.org:5500

Targets

- Target
  
  DLLclnbldwrz189r.exe
- Size
  
  509KB
- MD5
  
  ea66109d778e103e3ce06ee6b389367a
- SHA1
  
  14cda06a0640840671fe9fd8e8273246f0db9e1a
- SHA256
  
  78f124b7a00d29a4573c261f1ef8be979ce46c347371365ba820ba5750422f88
- SHA512
  
  84fd40a1c538aefcf4a703df4c64b943b38b34f9a26cb35c247f5be59a55f5f8d31c216f81ffa79cb7611fde790a7b8bf62fe20ce50633df41ac2b96b9d99155
Score

10^/10

warzonerat infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT Payload
  rat
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratinfostealerpersistencerat