warzonerat | 5f815bd7f39cccb4b92bea3d36861d6844eeea3307e86b237d794c660d1305c3 | Triage

Submit
Reports

Overview

overview

Static

static

INVOICE_00082925.doc

windows7_x64

INVOICE_00082925.doc

windows10_x64

Sharing

General

Target

INVOICE_00082925.doc
Size

1.0MB
Sample

210719-49plc9btea
MD5

3347d22680185efb3cd73d55b55a5c6d
SHA1

36f0afde99cdabe38dbe7c281b61c17b1ca41372
SHA256

5f815bd7f39cccb4b92bea3d36861d6844eeea3307e86b237d794c660d1305c3
SHA512

54cd4b8033702d2192fe8d860df7a092a23675e1bf6450f5cc3862346ef6f078b6b3de03da81d246284adf8f7a9362909fde5efa361ce9135e9c29f64a0461db

Score

10^/10

warzonerat infostealer rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

INVOICE_00082925.doc

Resource

win7v20210410

warzonerat infostealer rat spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

INVOICE_00082925.doc

Resource

win10v20210408

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

httP://kqz.ugo.si/svchost.exe

Extracted

Family

warzonerat

C2

byx.z86.ru:5200

Targets

- Target
  
  INVOICE_00082925.doc
- Size
  
  1.0MB
- MD5
  
  3347d22680185efb3cd73d55b55a5c6d
- SHA1
  
  36f0afde99cdabe38dbe7c281b61c17b1ca41372
- SHA256
  
  5f815bd7f39cccb4b92bea3d36861d6844eeea3307e86b237d794c660d1305c3
- SHA512
  
  54cd4b8033702d2192fe8d860df7a092a23675e1bf6450f5cc3862346ef6f078b6b3de03da81d246284adf8f7a9362909fde5efa361ce9135e9c29f64a0461db
Score

10^/10

warzonerat infostealer rat spyware stealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratinfostealerratspywarestealer

behavioral2

© 2018-2024

Terms | Privacy