warzonerat | c78468e0c0080700cb378ddb67268ebaa0d5a036f192a70e604a5076682474f9

Sharing

Copy URL

Twitter E-mail

General

Target

f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4.7z
Size

5.0MB
Sample

220617-1g6j6sdddj
MD5

2ef2cf7195cf0454560bc8e48f34b6e0
SHA1

12d96d76abedb97e5c96f68a044d3810b2340224
SHA256

c78468e0c0080700cb378ddb67268ebaa0d5a036f192a70e604a5076682474f9
SHA512

1c85722a782dab780e0a4e4d0b0e8ec6ed218ad5f95ffd67da4baaf4bf70bdc9e73aa2ff4bd0c1c577b1c08229e3f930c70e7d656ec5e7b905a7b00ec87612c6

Score

10^/10

Malware Config

Extracted

Family

warzonerat

195.140.214.82:6703

Targets

- Target
  
  f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1.exe
- Size
  
  172KB
- MD5
  
  2e6f05e8245b62297355f070a6f966df
- SHA1
  
  7461222b5d34eb2328c7d50a75956f9dc78c32a3
- SHA256
  
  f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178
- SHA512
  
  44302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899
Score

10^/10

xpertrat evasion persistence rat trojan
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- XpertRAT
  XpertRAT is a remote access trojan with various capabilities.
  rat xpertrat
- Adds policy Run key to start application
  persistence
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Program crash
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/BIozhqydH.exe
- Size
  
  172KB
- MD5
  
  2e6f05e8245b62297355f070a6f966df
- SHA1
  
  7461222b5d34eb2328c7d50a75956f9dc78c32a3
- SHA256
  
  f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178
- SHA512
  
  44302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899
Score

10^/10

xpertrat evasion persistence rat trojan
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- XpertRAT
  XpertRAT is a remote access trojan with various capabilities.
  rat xpertrat
- Adds policy Run key to start application
  persistence
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral2
- Target
  
  f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/CL_Utility.ps1
- Size
  
  13KB
- MD5
  
  1dcb96bed7d20df592189176d6e200fd
- SHA1
  
  18e6791e33924e8c243f352b4bb3fd3fa046d4fa
- SHA256
  
  6ba73a35a33a242cefc66637565ecd5356bdbb4fe71263328691d708615889ed
- SHA512
  
  a6497ed430dce0efe3b8521602f3e10a251f9dd0f5306ff0d03876ab840ccec7fc953775ad7dda7af02bd35139f74b8d5217461642f792859a9b60f5c9126763
Score

1^/10
behavioral3
- Target
  
  f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/DismHost.exe
- Size
  
  133KB
- MD5
  
  5867dc628a444f2393f7eff007bd4417
- SHA1
  
  a8a65b6a45a988f06e17ebd04e5462ca730d2337
- SHA256
  
  b94317b7c665f1cec965e3322e0aa26c8be29eaf5830fb7fcd7e14ae88a8cf22
- SHA512
  
  6b5cec2057188201241c7dc029289325273554c75d6cd07b91c8ce2197f02fefd2494c6ea01c411e693bd039786599cfc92e9e32e45039ff76a2278f099f34b7
Score

1^/10
behavioral4
- Target
  
  f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/IoJbxlqcb.exe
- Size
  
  172KB
- MD5
  
  2e6f05e8245b62297355f070a6f966df
- SHA1
  
  7461222b5d34eb2328c7d50a75956f9dc78c32a3
- SHA256
  
  f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178
- SHA512
  
  44302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899
Score

10^/10

evasion trojan
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Program crash
- Suspicious use of SetThreadContext
behavioral5
- Target
  
  f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/RS_AdminDiagnosticHistory.ps1
- Size
  
  1KB
- MD5
  
  daf3caf9fee184902f88cf68c916254c
- SHA1
  
  677241f9c1e39ee6347107eab0e742f38f04b27b
- SHA256
  
  659ebf584a5e0d31590d848ea13a3faff10c88f2d129baa3c2a1635be0e17613
- SHA512
  
  5e2eeb0e8a70a350e655e6f7333d9cabf487da999adbfacccd6f88aab588f055522a19f957e3495c69e3e1997bf573d0318bab16cb1a2fa0ab63c67b6c7716d3
Score

1^/10
behavioral6
- Target
  
  f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/RS_MachineWERQueue.ps1
- Size
  
  1KB
- MD5
  
  4ead5ff0de8201daa5c771c9700c45ab
- SHA1
  
  568f6170ecaa7851b8707d43658efc4e44f571bd
- SHA256
  
  77467ae995127372d335d7a5406ebd98cd3385ca7f8644e1342643330ec93341
- SHA512
  
  1216a7fa1b4e090bdcf0011d9676b2e0a5126587d171bcfc239fd36f2314f37f708bdb3a285a1fba08ae569c07f9d30e70884e15e9678adc9d2196bc035dafe5
Score

1^/10
behavioral7
- Target
  
  f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/RS_SyncSystemTime.ps1
- Size
  
  1KB
- MD5
  
  4e88b2a8ec2119ce19be4f646887cd5b
- SHA1
  
  4a2476fe0306e7a50355c3778cc9c4e35c787236
- SHA256
  
  dc504537a34a8d3114d414b9681ac1936d59e497dbf39e8be03760010c978da2
- SHA512
  
  fa82a4d80fe60c5bdd350e14b6df5176313f9d16716ec7df1be0479c2eff498819ba25cc9bb33958184f03d57dab624d46750a06368ea59b1820916b33ad0d79
Score

1^/10
behavioral8
- Target
  
  f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/RS_UserDiagnosticHistory.ps1
- Size
  
  1KB
- MD5
  
  3a3ea51ac79c212f298ed11e5312f4ef
- SHA1
  
  cb67bddd6c00e37386c5c92f1dc18c21f7f46c9f
- SHA256
  
  4ab9317a0aae09510c150918c1757c7492c93606268a5e33f56031c244632a5a
- SHA512
  
  1387a95b2258690e25d070a79b0729c434adde52a6803562e9bbe2b6ed2acd22056693e77075d37d7e64c2c7290818af150f8689987728f5d41ff40f63c6fba3
Score

1^/10
behavioral9
- Target
  
  f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/RS_UserWERQueue.ps1
- Size
  
  1KB
- MD5
  
  014bb59898d97ee5e9d0c3d598879659
- SHA1
  
  e1a7ca7d302e81ef619b72f07f8c2f834dd8631a
- SHA256
  
  136183a5d64c516cee0a3cb893adfa5d083cd4b74113d7665afec6e4edd55c03
- SHA512
  
  853ce2aff74e97bd39ef3f9ef847bc0597ec1a11e64a7c297808e362d9837661177cf481086784cc4149fe7ddebba4230b14a546b463da9d590f4097abd64449
Score

1^/10
behavioral10
- Target
  
  f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/TS_DiagnosticHistory.ps1
- Size
  
  2KB
- MD5
  
  6f42efe37f2f73bc4d5531a5906844c5
- SHA1
  
  6f8e508526af2f5a9ab618ebb26b140e8b2811b4
- SHA256
  
  00915c9baba87359a458d23e18f412647852a3260280a0d64af5e91307c01bce
- SHA512
  
  0a58aaa8451197dbb9cdc4a807fcbccb77b6f2fce18e973c9b6562eb3337356c45371b43fc4e07d3bd624769e3ed3af689cdfb388a9dd08333375acb5902de70
Score

1^/10
behavioral11
- Target
  
  f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/TS_InaccurateSystemTime.ps1
- Size
  
  4KB
- MD5
  
  d1f499ef5b4a1b0fe5ac6b9b06d14b36
- SHA1
  
  9105e7c23d4095a043cada114a1c70f972b5b184
- SHA256
  
  437debeae0f2b876d887a22ce26f44701ceb314e7b22d0292d1527b31805f304
- SHA512
  
  2b85f644bb5411a3b12fde98dd6356259ea42a2440d0fc8b469e64ff0477f5aff328881055314fa125680851d87e5cea2194b8886bcb252619e8e95fe951b7f7
Score

1^/10
behavioral12
- Target
  
  f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/TS_WERQueue.ps1
- Size
  
  2KB
- MD5
  
  c65ce632a3a35df1e2e687aa94432c58
- SHA1
  
  4ad0544c2e61287ea06cf0903405aa561f37e842
- SHA256
  
  46361b7489f075d4d426b33932a7a94d57f5e03125781e562027aa6d0c448a77
- SHA512
  
  4cb19abb3efeb753b1496c39f6066cc2974101fa4a64260d779d01bee289781f7f843a01c51e73ce922c58d3e1dae85801dcd05ef65a6791d256fd77012a6bec
Score

1^/10
behavioral13
- Target
  
  f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/Video.UI.exe
- Size
  
  24.9MB
- MD5
  
  6d09992fc7789db137d3650307d0adbc
- SHA1
  
  af1376c27f5e7b925418bbf75ba2c3079c943518
- SHA256
  
  f27ac9910b9a781b612029e64e8bf63a6dc8b4336ad66d6a7260bf058b493781
- SHA512
  
  73ee9508a350862c6ec79d672dca47b0353c50dd3d115eef451cc98377be1ce3cf1845e1999c8400c6674f59b10f7793a64429271590d8e4c7ea879a46fef3d2
Score

1^/10
behavioral14
- Target
  
  f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/__PSScriptPolicyTest_eg4nc2yx.0nl.ps1
- Size
  
  81B
- MD5
  
  b2d34bf360c7c2474aed6b63664d2712
- SHA1
  
  7e7ab30d6f902fd37806dcd58913ee62369225dd
- SHA256
  
  68ac98e66c15cbdc9e676a2bd04db0b4d9db3a9cdc916c2da1c962e719655d48
- SHA512
  
  ab99915e7dc64f6f0e4173c2c6283e45b3af4931fbf6e454c8c983ee1fd86cf66d8ff80f50cf50421d1af71b7358045bc73960ed866f5da0b74b2f5bac7c0e4f
Score

1^/10
behavioral15
- Target
  
  f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/aspnet_wp.exe
- Size
  
  38KB
- MD5
  
  98c345e7f21d40b5d9102b83bc670dc6
- SHA1
  
  b353761eb187a426962e960037a9532dd15b9a15
- SHA256
  
  b4e267fa56ee9aba91f5f645b6a62c9b31ac4a8e530843ef2d3a6af3c4ae5ba9
- SHA512
  
  5ac4f462e1bc13393d6699f94c887004ad912b5e1c89c144f78dd42f30c6fd0e1f4a1093bf4f93a7ed92c1c8f0c907b09b3c226d223fb531fbb61388da7a1f52
Score

1^/10
behavioral16
- Target
  
  f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/esfctKdzg.exe
- Size
  
  172KB
- MD5
  
  2e6f05e8245b62297355f070a6f966df
- SHA1
  
  7461222b5d34eb2328c7d50a75956f9dc78c32a3
- SHA256
  
  f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178
- SHA512
  
  44302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899
Score

10^/10

evasion trojan
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Program crash
- Suspicious use of SetThreadContext
behavioral17
- Target
  
  f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/smsvchost.exe
- Size
  
  135KB
- MD5
  
  a35d38a33a4de8ea83fbd73524daa0d2
- SHA1
  
  e53c001aa497552dddf5915ddcb23b550b06aae6
- SHA256
  
  092705c17d057e86ea25b269819ccffd21a2f72a8563cfbe2941a38559e13620
- SHA512
  
  73ef7125658691a92dd8632cba20708502efcbf7d9b02a005a08748a33aea91d1e703fa7c6d60a39d1291197a8bd9f45433fc3f010149628789210780040d09c
Score

1^/10
behavioral18
- Target
  
  f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/w..orIFtb.exe
- Size
  
  172KB
- MD5
  
  2e6f05e8245b62297355f070a6f966df
- SHA1
  
  7461222b5d34eb2328c7d50a75956f9dc78c32a3
- SHA256
  
  f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178
- SHA512
  
  44302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899
Score

10^/10

xpertrat evasion persistence rat trojan
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- XpertRAT
  XpertRAT is a remote access trojan with various capabilities.
  rat xpertrat
- Adds policy Run key to start application
  persistence
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral19
- Target
  
  f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/xpertwar.exe
- Size
  
  652KB
- MD5
  
  85063571eccad2a81103ea6603ba1e08
- SHA1
  
  c762c1e085a489b21c125e75e21683cd86e138c9
- SHA256
  
  f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4
- SHA512
  
  8a271d14190d2bf5cb9d4a62830b750b64954a9ed5d5ac803dca2ce9e9b38b6a69fd61518e0271dfbddeb20de383d686f6b0d9cfdf26be7ed394b244e41ca12f
Score

10^/10

warzonerat infostealer rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT Payload
  rat
behavioral20

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

UAC bypass

Windows security bypass

XpertRAT

Adds policy Run key to start application

Windows security modification

Adds Run key to start application

Checks whether UAC is enabled

Program crash

Suspicious use of SetThreadContext

UAC bypass

Windows security bypass

XpertRAT

Adds policy Run key to start application

Windows security modification

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

UAC bypass

Windows security bypass

Windows security modification

Checks whether UAC is enabled

Program crash

Suspicious use of SetThreadContext

UAC bypass

Windows security bypass

Windows security modification

Checks whether UAC is enabled

Program crash

Suspicious use of SetThreadContext

UAC bypass

Windows security bypass

XpertRAT

Adds policy Run key to start application

Windows security modification

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

WarzoneRat, AveMaria

Warzone RAT Payload

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20