warzonerat | 4003aba6461fce00a63ba6b1aeb641e212b9762ff97142bde50595877d803351 | Triage

Submit
Reports

Overview

overview

Static

static

Shipment D...st.exe

windows7_x64

3

Shipment D...st.exe

windows10_x64

Sharing

General

Target

Shipment Document BL,INV and Packing list.r11
Size

6KB
Sample

211008-lq26sadgc3
MD5

c1413ae6ae7b1a685e55ecc607b0563e
SHA1

04582ce4a33b9ce48179d075d5dbcae30068c797
SHA256

4003aba6461fce00a63ba6b1aeb641e212b9762ff97142bde50595877d803351
SHA512

8c909ea0a5fa523356ca85b61daf35c0f16a90bcf9d23133a131c72a187188924132e34d90625ff8de91f18d4bac045c3e0ded25a1f67a5d93ae6457e4118d71

Score

10^/10

warzonerat collection infostealer persistence rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

Shipment Document BL,INV and Packing list.exe

Resource

win7v20210408

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Shipment Document BL,INV and Packing list.exe

Resource

win10-en-20210920

warzonerat collection infostealer persistence rat spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

warzonerat

C2

enginekeysmoney.ddns.net:9671

Targets

- Target
  
  Shipment Document BL,INV and Packing list.exe
- Size
  
  25KB
- MD5
  
  bd1b61722ae264d4f00a0fb412d12bc0
- SHA1
  
  4188fa6acae6960268d2bc0512aea9dc08ba7486
- SHA256
  
  58a5be83221386f1bae87b2a785b08c758591bcbc235b21132240feece1972bc
- SHA512
  
  8feff8a854015545ac3b92d1e2d3242957ca504c6b5d89160951e64421c8c06d0643a6af3a6a436901eae43790741a642d8a71c91330bfccefcbfccb808ba6f6
Score

10^/10

warzonerat collection infostealer persistence rat spyware stealer
- Modifies WinLogon for persistence
  persistence
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT Payload
  rat
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

warzoneratcollectioninfostealerpersistenceratspywarestealer

© 2018-2024

Terms | Privacy