Overview

overview

10

Static

static

PAYMENT DETAILS.exe

windows7_x64

10

PAYMENT DETAILS.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    67b0a5a1c885e503c4996d844e018bd8d68bce6a27364a02782b70fbb6f6ea97

  • Size

    418KB

  • Sample

    220521-xal1eaeehl

  • MD5

    04f71831a2e0c129f965f9da9c9fa4b8

  • SHA1

    a91a5182f18288d62c515dec1b9cf60af6c247b4

  • SHA256

    67b0a5a1c885e503c4996d844e018bd8d68bce6a27364a02782b70fbb6f6ea97

  • SHA512

    360827d5526074f3ac445ec573dceb88fd02ba88f52d8e73deb882d2e4b68422cb2b3da30be967ca240281e6df040c329d45cad49283b4658ed84c9ec9dcd472

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

52.168.163.161:5200

Targets

    • Target

      PAYMENT DETAILS.exe

    • Size

      1.3MB

    • MD5

      2232dfdb7c3927d73d832bb782821eae

    • SHA1

      dba1ac5f1cf909ce1a6cb6c860d50e6e86f7ea13

    • SHA256

      785c0d4d25629a52bf22014d5e21c10dbd19e6e7958eb400ea445182a827578f

    • SHA512

      a3c194f33643d3a7e8b23443bae754d35a21f37d7b0bb454e41933fbdabaffee3e7ba6e1b5b2f16f353b9df7ccfd61f358f5b5099559eaf38975111abfa8666b

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks