Overview

overview

10

Static

static

ORDER_23.exe

windows7_x64

10

ORDER_23.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8a810c641ff22a6031ba8d80364e5b8d5a666757ff6f3b6c708562b9d25fba10

  • Size

    1.6MB

  • Sample

    220521-xa85yabdb4

  • MD5

    1493fb3f5c81b02606552deb259e8cdc

  • SHA1

    7af8a9581a5f245113ff51556af02e5b79bffe7b

  • SHA256

    8a810c641ff22a6031ba8d80364e5b8d5a666757ff6f3b6c708562b9d25fba10

  • SHA512

    2232c4a82ad584aba391afea7c833e19a95e0b02371ddf4c1dab1107ce26d0eeddb750fc642be2d48d47c4549f95bf3b06fcf118eef6e324a7c0d78e5cd0a398

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

afada.duckdns.org:52001

Targets

    • Target

      ORDER_23.EXE

    • Size

      1.0MB

    • MD5

      82dc8466aec29d8b7ea1b7e61544237e

    • SHA1

      2a6d1c5e7f9b13d498a0fa809455a634a086b782

    • SHA256

      b10488bbd95fcf6ddad889eaefb6a7585a41071d24062bd0894ce6a5fc6eab87

    • SHA512

      1fe96375ce222a78b60491261ef7fc3db9d5de20d9865ad36253aceaaaa277e6065c79e43b2a3cb6c5b68c618bf0b4c36ceb082e5e201ca5ac8dfcf07ca6de9b

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks