Overview

overview

10

Static

static

Scan-2021-...at.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Scan-2021-10-06-89388399008827829020287278299276678292026368298.rev

  • Size

    273KB

  • Sample

    211007-1cwjeadbcr

  • MD5

    d68ea4b0a267dfc79bed85cc70076c2e

  • SHA1

    68ec2702ba2afb739b2f5dc0f1b90070dfca93c2

  • SHA256

    e32e27ecb69ca65b8bcb23a748da370c3cd306bbe4d186d840b2632187b12109

  • SHA512

    c2bb843d4127cebb778a884deb553e3d002121c20025be6c62d4d43859094674bb075f3aa88cf6454d84d7699f7ae7f86875ec71b821f870bd0436671c18e8e7

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

176.126.86.243:2021

Targets

    • Target

      Scan-2021-10-06-89388399008827829020287278299276678292026368298.bat

    • Size

      334KB

    • MD5

      4176461be62d517adba95d7ab909e7bb

    • SHA1

      e53120f9ad641252e41aa677de123152cd72215f

    • SHA256

      4bd74f7785ffaf625efdf131775b504966321554e008bd156002f857f866d458

    • SHA512

      4e959c76fdd76d5907c467da5168574e1bf320e7c47dec95c20a4e8f87a95c4e69fbbd5f454082295cb0f457f2d1d070d35d364868dfef9e390e1e2075ea07ed

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks