Overview

overview

10

Static

static

1

634f090793...7d.exe

windows7-x64

10

634f090793...7d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    634f090793b9102a76256bc2f57af27d.exe

  • Size

    392KB

  • Sample

    221124-tdb3tshb8t

  • MD5

    634f090793b9102a76256bc2f57af27d

  • SHA1

    7a66e6d175c747ff3423a71dfdeb525ec542f3b8

  • SHA256

    561c6e890c23970149d70017c414677c85d99d428cd96378c15f8459596957c6

  • SHA512

    1cfe55dde522062b73f33a46edcf0cf5f9b84c1d8c8b6f7f6d1bbf9739d4e6fcf435a7b1965bef390fa73c1fb5506292452c52497171b220606d7a07406466f2

  • SSDEEP

    6144:jEa0PXS18jHzrwmFPpNUAvyrXRnAPljWUAJvSbn:Ki18jHP/VvytcMpKL

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

maulo.duckdns.org:6269

Targets

    • Target

      634f090793b9102a76256bc2f57af27d.exe

    • Size

      392KB

    • MD5

      634f090793b9102a76256bc2f57af27d

    • SHA1

      7a66e6d175c747ff3423a71dfdeb525ec542f3b8

    • SHA256

      561c6e890c23970149d70017c414677c85d99d428cd96378c15f8459596957c6

    • SHA512

      1cfe55dde522062b73f33a46edcf0cf5f9b84c1d8c8b6f7f6d1bbf9739d4e6fcf435a7b1965bef390fa73c1fb5506292452c52497171b220606d7a07406466f2

    • SSDEEP

      6144:jEa0PXS18jHzrwmFPpNUAvyrXRnAPljWUAJvSbn:Ki18jHP/VvytcMpKL

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT payload

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks