Overview

overview

10

Static

static

sample & list.exe

windows7_x64

10

sample & list.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sample _ list.ace

  • Size

    279KB

  • Sample

    210722-gdqr9krj2s

  • MD5

    a1302b11b26a4e7d31a36d5d4a711d2c

  • SHA1

    b9fca4b04e35b3f2b3c185ae631b4eb6d295df2b

  • SHA256

    11daf2061e6239ea6c68db36371ace9433dfb783a768a2d7281dba0e58ead375

  • SHA512

    e105d36ae26aef40a2bdf13a90375539a8dda0d30bb4d70d291f0b313d1c271daae984cddc6b5e23f9c00f0d6434c5ba3d3ef8d4188a273be91f6b6ad41cec8f

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

msteel1759.ddns.net:47680

Targets

    • Target

      sample & list.exe

    • Size

      675KB

    • MD5

      e5d9171fcddcb7ad12ba356039f961ae

    • SHA1

      a093a11278a11d9db0d648fec160ad1b8217ffe4

    • SHA256

      52477714f4d4870a73c7ea42a240b4191e895860f0268ef16b5f0c49d338447d

    • SHA512

      dfe707354f4c8bac9f9190e04f6775ddaeb9ac1e04baf54f341617cb56e4b10fee63a0df746cff0d1f8b6380e7bb7c097f1235e0779f28d9f17dbb83d649e975

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks