warzonerat | bd2c2c4d451fbf0d9a21766f08469add420e1ebd09e8f3cec61f200418b238d5 | Triage

Submit
Reports

Overview

overview

Static

static

Perfectly ...ch.exe

windows7_x64

Perfectly ...ch.exe

windows10_x64

Sharing

General

Target

Perfectly Clear Workbench SAMPLE.zip
Size

21.0MB
Sample

211211-yx1mrabfb4
MD5

d69f61d6bbb1953483e555a200f00fe9
SHA1

8742a7ae0f0aa6ba984a9d97766777bdd86d7a41
SHA256

bd2c2c4d451fbf0d9a21766f08469add420e1ebd09e8f3cec61f200418b238d5
SHA512

2cc13db7595452f3f0588e039338eccaaf156bfefe345b772e255bd14e4ae90d6dddf0e8d815ff363afe956e7f5954218f7c3a2a67c52e1dabe0f3dbd45222b4

Score

10^/10

warzonerat webmonitor backdoor infostealer persistence rat upx

Static task

static1

Behavioral task

behavioral1

Sample

Perfectly Clear Workbench.exe

Resource

win7-en-20211208

webmonitor backdoor infostealer persistence rat upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Perfectly Clear Workbench.exe

Resource

win10-en-20211208

warzonerat webmonitor backdoor infostealer persistence rat upx

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

warzonerat

C2

95.168.173.176:5200

Targets

- Target
  
  Perfectly Clear Workbench.exe
- Size
  
  22.7MB
- MD5
  
  07c8ab309a013e4786c9587db7a65bdf
- SHA1
  
  ef8ab1daf015590cf14ce47a350a99c82b71d125
- SHA256
  
  9f9f34da4353b46d4b59673ac0520cdf7bd5a513c0590dfde99363cf5f1db657
- SHA512
  
  ef392d50539d36eac9609ffcd76a68fa2e18b9fde03e2f8d4554a557e1bd093129aae302211b0ccd04f39b277feff7067cf0bf33b34604e0ab5a3f8d34dfadf2
Score

10^/10

webmonitor backdoor infostealer persistence rat upx warzonerat
- Modifies WinLogon for persistence
  persistence
- RevcodeRat, WebMonitorRat
  WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
  backdoor rat infostealer webmonitor
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- WebMonitor Payload
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

webmonitorbackdoorinfostealerpersistenceratupx

behavioral2

warzoneratwebmonitorbackdoorinfostealerpersistenceratupx

© 2018-2024

Terms | Privacy