Overview

overview

10

Static

static

STATEMENT ...29.exe

windows7_x64

10

STATEMENT ...29.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    STATEMENT OF ACCOUNT_2021-10-04989829.exe

  • Size

    415KB

  • Sample

    211005-qsy95ahgh7

  • MD5

    ba089fe4546d19803adad582ca6f2ec5

  • SHA1

    32c00e95b5f398c7bb7261feb35290e34c59d21f

  • SHA256

    014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228

  • SHA512

    1b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

176.126.86.243:2021

Targets

    • Target

      STATEMENT OF ACCOUNT_2021-10-04989829.exe

    • Size

      415KB

    • MD5

      ba089fe4546d19803adad582ca6f2ec5

    • SHA1

      32c00e95b5f398c7bb7261feb35290e34c59d21f

    • SHA256

      014cd6b5ea8a3b792f7f8926eab05f857fa548a5c75bb6a2c0292f71536cb228

    • SHA512

      1b443fd3bdbe05de713311c867ef4b5c73d21eabcd9d89c4df5ad6e78c06c0cf390f52e04cd25a74754bf9cbe007e5abf25787f2dcb089bb66f929b2b0f93592

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Executes dropped EXE

    • Sets DLL path for service in the registry

      persistence

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Modifies WinLogon

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

2
T1060

Winlogon Helper DLL

1
T1004

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks