Overview

overview

10

Static

static

bdc5a66a0d...ac.exe

windows7-x64

3

bdc5a66a0d...ac.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bdc5a66a0d41085b7694c31057c6947653c37b425a6841e99a9b86c5a10887ac.exe

  • Size

    451KB

  • Sample

    221111-s9znbsgf97

  • MD5

    0da06576f0eaa6eba134bf3059b09355

  • SHA1

    b0c7e1b2006cee0a54df0618d824779bb80f8eb2

  • SHA256

    bdc5a66a0d41085b7694c31057c6947653c37b425a6841e99a9b86c5a10887ac

  • SHA512

    ef0e58390d231148aa3df08a45344091c3a5f61f3c9244db9f0f0e850dd11c1dab0bc50586576df8ea30144e427c17b4e8b075c4ebdc67329f98bdd6aec3f16e

  • SSDEEP

    12288:JREurhYE0t70LTRzctH52cPUxvBLrlFgGUlgyiH:3vz0t70Ll3PjgGb

Score
10/10
warzoneratevasioninfostealerpersistencerattrojan

Malware Config

Targets

    • Target

      bdc5a66a0d41085b7694c31057c6947653c37b425a6841e99a9b86c5a10887ac.exe

    • Size

      451KB

    • MD5

      0da06576f0eaa6eba134bf3059b09355

    • SHA1

      b0c7e1b2006cee0a54df0618d824779bb80f8eb2

    • SHA256

      bdc5a66a0d41085b7694c31057c6947653c37b425a6841e99a9b86c5a10887ac

    • SHA512

      ef0e58390d231148aa3df08a45344091c3a5f61f3c9244db9f0f0e850dd11c1dab0bc50586576df8ea30144e427c17b4e8b075c4ebdc67329f98bdd6aec3f16e

    • SSDEEP

      12288:JREurhYE0t70LTRzctH52cPUxvBLrlFgGUlgyiH:3vz0t70Ll3PjgGb

    Score
    10/10
    warzoneratevasioninfostealerpersistencerattrojan

    • UAC bypass

      evasiontrojan

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Windows security bypass

      evasiontrojan

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Warzone RAT payload

      rat

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks