warzonerat | f2b52783d75599508c49a1e7be95a2c7326eb16ae89252540f7c049206dae166 | Triage

Submit
Reports

Overview

overview

Static

static

DLT TEMPLATE.exe

windows7_x64

DLT TEMPLATE.exe

windows10_x64

Sharing

General

Target

DLT TEMPLATE.COM
Size

393KB
Sample

220207-gcrexagbd8
MD5

37939894527229498b818d7b5af7f178
SHA1

9f38a4b61ec79233f5868cb945612761e100a4e7
SHA256

f2b52783d75599508c49a1e7be95a2c7326eb16ae89252540f7c049206dae166
SHA512

55a637ba2917a07efe651d088c335f37ec70a13023d4a655312b0a3748e2cd62235a5022cbba232918de184e5527da7cc20106ebdf41db498d8ad169a2378ce5

Score

10^/10

warzonerat infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

DLT TEMPLATE.exe

Resource

win7-en-20211208

warzonerat infostealer persistence rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

DLT TEMPLATE.exe

Resource

win10-en-20211208

warzonerat infostealer persistence rat

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

warzonerat

C2

iphanyi.webredirect.org:5552

Targets

- Target
  
  DLT TEMPLATE.COM
- Size
  
  393KB
- MD5
  
  37939894527229498b818d7b5af7f178
- SHA1
  
  9f38a4b61ec79233f5868cb945612761e100a4e7
- SHA256
  
  f2b52783d75599508c49a1e7be95a2c7326eb16ae89252540f7c049206dae166
- SHA512
  
  55a637ba2917a07efe651d088c335f37ec70a13023d4a655312b0a3748e2cd62235a5022cbba232918de184e5527da7cc20106ebdf41db498d8ad169a2378ce5
Score

10^/10

warzonerat infostealer persistence rat
- Modifies WinLogon for persistence
  persistence
- Suspicious use of NtCreateProcessExOtherParentProcess
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT Payload
  rat
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Modifies WinLogon
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratinfostealerpersistencerat

behavioral2

warzoneratinfostealerpersistencerat

© 2018-2024

Terms | Privacy