warzonerat | 76acd3058c0b09c8bd34be9fe13999cf7d34009154888e276d93a0702ed234f5 | Triage

Submit
Reports

Overview

overview

Static

static

8

76acd3058c...f5.exe

windows7-x64

76acd3058c...f5.exe

windows10-2004-x64

Sharing

General

Target

76acd3058c0b09c8bd34be9fe13999cf7d34009154888e276d93a0702ed234f5
Size

5.8MB
Sample

221130-vj1ttacb5v
MD5

7d01ed506f8b0f279672828a3831ef7c
SHA1

8dcc4d789caefd438f44615059dc0f4f47fa29b0
SHA256

76acd3058c0b09c8bd34be9fe13999cf7d34009154888e276d93a0702ed234f5
SHA512

7ad7764dd2de059d40058d577d88a7d4bb65e491bdc8773b80c553f26c960b629e482abbee74973f7b4cc809e555d74c9388990607822682b302148da3ebda97
SSDEEP

98304:zpy6b+a439EQKfTRjX6+mv9CN5uoZI/Qm3nOR1ymm2iojZ/4vLp73lhjkE6RfAAX:zpy6Hf9jq+I9CFI5eG4Qp7LkEafAdo

Score

10^/10

warzonerat infostealer persistence rat vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

76acd3058c0b09c8bd34be9fe13999cf7d34009154888e276d93a0702ed234f5.exe

Resource

win7-20221111-en

warzonerat infostealer persistence rat vmprotect

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

76acd3058c0b09c8bd34be9fe13999cf7d34009154888e276d93a0702ed234f5.exe

Resource

win10v2004-20221111-en

warzonerat infostealer persistence rat vmprotect

windows10-2004-x64

7 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

193.109.78.123:5200

Targets

- Target
  
  76acd3058c0b09c8bd34be9fe13999cf7d34009154888e276d93a0702ed234f5
- Size
  
  5.8MB
- MD5
  
  7d01ed506f8b0f279672828a3831ef7c
- SHA1
  
  8dcc4d789caefd438f44615059dc0f4f47fa29b0
- SHA256
  
  76acd3058c0b09c8bd34be9fe13999cf7d34009154888e276d93a0702ed234f5
- SHA512
  
  7ad7764dd2de059d40058d577d88a7d4bb65e491bdc8773b80c553f26c960b629e482abbee74973f7b4cc809e555d74c9388990607822682b302148da3ebda97
- SSDEEP
  
  98304:zpy6b+a439EQKfTRjX6+mv9CN5uoZI/Qm3nOR1ymm2iojZ/4vLp73lhjkE6RfAAX:zpy6Hf9jq+I9CFI5eG4Qp7LkEafAdo
Score

10^/10

warzonerat infostealer persistence rat vmprotect
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratinfostealerpersistenceratvmprotect

behavioral2

warzoneratinfostealerpersistenceratvmprotect

© 2018-2024

Terms | Privacy