warzonerat | fb7bcd7984c61451e3728b5e5e877fb69984e1e82b665a4a085e5eb3d6f13dd1 | Triage

Submit
Reports

Overview

overview

Static

static

SecuriteIn...61.exe

windows7-x64

SecuriteIn...61.exe

windows10-2004-x64

Sharing

General

Target

SecuriteInfo.com.Variant.MSILHeracles.52384.6028.19461.exe
Size

800KB
Sample

221206-lkxdcahd81
MD5

376dd89863cc14b9bcacca87ae661e99
SHA1

4670c9cadcab89c8369fc250e1642cbc4e80bfa7
SHA256

fb7bcd7984c61451e3728b5e5e877fb69984e1e82b665a4a085e5eb3d6f13dd1
SHA512

4cef26e214535f6cd93522c8e0c4cd10cdf90f26c1f63bf1bebf40e35c17ac4e41aafd2444a0874e0c5214be9ba7df7ed6ae63311ef8f2792c2f1d7fecb71620
SSDEEP

12288:+rkSnXEjuMquU9M4/dY2lJanhBzDwv7bL0J/:+rkSnXYuWuY2UhBeUp

Score

10^/10

warzonerat infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

SecuriteInfo.com.Variant.MSILHeracles.52384.6028.19461.exe

Resource

win7-20220812-en

warzonerat infostealer persistence rat

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

SecuriteInfo.com.Variant.MSILHeracles.52384.6028.19461.exe

Resource

win10v2004-20220901-en

warzonerat infostealer persistence rat

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  SecuriteInfo.com.Variant.MSILHeracles.52384.6028.19461.exe
- Size
  
  800KB
- MD5
  
  376dd89863cc14b9bcacca87ae661e99
- SHA1
  
  4670c9cadcab89c8369fc250e1642cbc4e80bfa7
- SHA256
  
  fb7bcd7984c61451e3728b5e5e877fb69984e1e82b665a4a085e5eb3d6f13dd1
- SHA512
  
  4cef26e214535f6cd93522c8e0c4cd10cdf90f26c1f63bf1bebf40e35c17ac4e41aafd2444a0874e0c5214be9ba7df7ed6ae63311ef8f2792c2f1d7fecb71620
- SSDEEP
  
  12288:+rkSnXEjuMquU9M4/dY2lJanhBzDwv7bL0J/:+rkSnXYuWuY2UhBeUp
Score

10^/10

warzonerat infostealer persistence rat
- Modifies WinLogon for persistence
  persistence
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratinfostealerpersistencerat

behavioral2

warzoneratinfostealerpersistencerat

© 2018-2024

Terms | Privacy