Overview

overview

10

Static

static

scan001.exe

windows7_x64

10

scan001.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    de470a6ebe74b1f43aacda87b2655c13f221544c11606decc06e6a6cfacab1b5

  • Size

    418KB

  • Sample

    220521-xzxhfacgg4

  • MD5

    032c959f179e2f8a7a754b90b69ddde5

  • SHA1

    b245639baaee90c6745482f99d411438e2ba41f0

  • SHA256

    de470a6ebe74b1f43aacda87b2655c13f221544c11606decc06e6a6cfacab1b5

  • SHA512

    de4c6250f21ad34cada4ad5a8734565a7fe4e560d9de231d7043431be8e6a52c59c79c02caf77e8a4fb31b618344e9d763ac014ae62e03a0fba88548590c1b25

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

79.134.225.34:5200

Targets

    • Target

      scan001.exe

    • Size

      1.3MB

    • MD5

      dec59124b7990c19313cec352f47414f

    • SHA1

      84769168287f5f3c9a9467b129eee606c452f0dc

    • SHA256

      2c17ec053eeef1daed652560bd9bd8672fd2bd160595f998f87c017b3c7095c5

    • SHA512

      55072103d13191e1e78b491b6e6ec3ab681f14342273158fedef4042d1822e0938bbf86213be8667cf0174c4720a56844e8cbac55bdfa2138e58d459a2d38997

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT Payload

      rat

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks