warzonerat | b884c311eb0332ba6f9c49d5a236a00d0737948573365ee7a86a1ffff8ca58df | Triage

Sharing

General

Target

Shipment_Label_2010992804_PDF.scr
Size

79KB
Sample

210926-ws6xvsfbbq
MD5

b6786cee3227d70e4be1151c37e430ce
SHA1

d77a564bd597dd85b0649e9ab1b9d7aff70b58d6
SHA256

b884c311eb0332ba6f9c49d5a236a00d0737948573365ee7a86a1ffff8ca58df
SHA512

f01eb227761a4de329bcb3a978d776d9f0cc9c540e800b783dae2ae073a9e6b135bfebae9c7a2d94f08ff2502dd590cebabc31034d9db4b06de81b61ac349a42

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

45.162.228.171:26112

Targets

- Target
  
  Shipment_Label_2010992804_PDF.scr
- Size
  
  79KB
- MD5
  
  b6786cee3227d70e4be1151c37e430ce
- SHA1
  
  d77a564bd597dd85b0649e9ab1b9d7aff70b58d6
- SHA256
  
  b884c311eb0332ba6f9c49d5a236a00d0737948573365ee7a86a1ffff8ca58df
- SHA512
  
  f01eb227761a4de329bcb3a978d776d9f0cc9c540e800b783dae2ae073a9e6b135bfebae9c7a2d94f08ff2502dd590cebabc31034d9db4b06de81b61ac349a42
Score

10^/10

warzonerat infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratinfostealerpersistencerat

behavioral2