Overview

overview

10

Static

static

origin.exe

windows7-x64

10

origin.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    origin.exe

  • Size

    552KB

  • Sample

    221201-ztgwxaeb5t

  • MD5

    fd49a17b3d4bfe10a79a8f6c25f72f50

  • SHA1

    a25885590c16d80d46846d75f1f7646bfc26c005

  • SHA256

    7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab

  • SHA512

    3049f06b75f8ec88ffb75cdd97ac68c63f0ef4cf9d53791a6bdda0886f9021fea1b470f2b8a137ef9d4d3dac15773562878b11657f11ce041b4cfa3416d1a762

  • SSDEEP

    12288:GPqfpmguB1C6MgG4WymunsifuHqDoCu9l9jq:IqfpmguvC6zG46u+HqDoL9j

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Targets

    • Target

      origin.exe

    • Size

      552KB

    • MD5

      fd49a17b3d4bfe10a79a8f6c25f72f50

    • SHA1

      a25885590c16d80d46846d75f1f7646bfc26c005

    • SHA256

      7df4c22eb854a3167a7f606f9ad2baf1d6fff8ac85c8b4d265248e272afdbaab

    • SHA512

      3049f06b75f8ec88ffb75cdd97ac68c63f0ef4cf9d53791a6bdda0886f9021fea1b470f2b8a137ef9d4d3dac15773562878b11657f11ce041b4cfa3416d1a762

    • SSDEEP

      12288:GPqfpmguB1C6MgG4WymunsifuHqDoCu9l9jq:IqfpmguvC6zG46u+HqDoL9j

    Score
    10/10
    warzoneratinfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT payload

      rat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks