warzonerat | ef131c0526ddab283ce5ffd35fe49678bc1c9065439faf06813f5c15a714b727 | Triage

Submit
Reports

Overview

overview

Static

static

3b352f748c...af.exe

windows7_x64

3b352f748c...af.exe

windows10_x64

Sharing

General

Target

3b352f748c8f3829315700687daa73af
Size

90KB
Sample

210713-j7htgzbnhs
MD5

3b352f748c8f3829315700687daa73af
SHA1

4b394128d30734821dcd1fdf4c4a8b1e32d1617a
SHA256

ef131c0526ddab283ce5ffd35fe49678bc1c9065439faf06813f5c15a714b727
SHA512

3210a33fa272da62170c3d46a7dc45100dbe2459f301cc956845b36eb5d84dccfc6835987cf4e4ee43132265c67f1e9200699d6fb7fb09b4f51159c69106c6fa

Score

10^/10

warzonerat evasion infostealer persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

3b352f748c8f3829315700687daa73af.exe

Resource

win7v20210410

warzonerat evasion infostealer persistence rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

3b352f748c8f3829315700687daa73af.exe

Resource

win10v20210410

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

warzonerat

C2

176.31.159.203:18970

Targets

- Target
  
  3b352f748c8f3829315700687daa73af
- Size
  
  90KB
- MD5
  
  3b352f748c8f3829315700687daa73af
- SHA1
  
  4b394128d30734821dcd1fdf4c4a8b1e32d1617a
- SHA256
  
  ef131c0526ddab283ce5ffd35fe49678bc1c9065439faf06813f5c15a714b727
- SHA512
  
  3210a33fa272da62170c3d46a7dc45100dbe2459f301cc956845b36eb5d84dccfc6835987cf4e4ee43132265c67f1e9200699d6fb7fb09b4f51159c69106c6fa
Score

10^/10

warzonerat evasion infostealer persistence rat spyware stealer trojan
- UAC bypass
  evasion trojan
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Windows security bypass
  evasion trojan
- Warzone RAT Payload
  rat
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratevasioninfostealerpersistenceratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy