warzonerat | 2896ddf591256c4bcbfde93116fdf3e1b01c4c4bed2b4651ddf5509d400bb15a | Triage

Submit
Reports

Overview

overview

Static

static

8960471d8f...0d.exe

windows7-x64

8960471d8f...0d.exe

windows10-2004-x64

Sharing

General

Target

8557877249.zip
Size

437KB
Sample

221206-wn795adh31
MD5

4781f14e40effb69e5951c2795307271
SHA1

6d4ff9e453dab84da0f4c3c2c046b9b211d35c6d
SHA256

2896ddf591256c4bcbfde93116fdf3e1b01c4c4bed2b4651ddf5509d400bb15a
SHA512

7a8e19fb30bbc0a6e49b8a68a01e0cdbbb4768373b2343a92256a15f069afe0b6486d3a60eb1a02037d0924d7cff6b249222f6722bd2ad80b3bde7787effbc83
SSDEEP

12288:7ZVfJYJ3e0V3LC4oGMG8PAxfa43g+AVv8NCGQS:tVl0gu8caug+IvowS

Score

10^/10

warzonerat evasion infostealer persistence rat upx

Static task

static1

Behavioral task

behavioral1

Sample

8960471d8fd9a7991440d240baafe31b048b2f68e7999b77e5fe2cffb3c2b90d.exe

Resource

win7-20220901-en

warzonerat evasion infostealer persistence rat upx

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

8960471d8fd9a7991440d240baafe31b048b2f68e7999b77e5fe2cffb3c2b90d.exe

Resource

win10v2004-20220812-en

warzonerat evasion infostealer persistence rat upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  8960471d8fd9a7991440d240baafe31b048b2f68e7999b77e5fe2cffb3c2b90d
- Size
  
  660KB
- MD5
  
  0b68196f8812f273aff9f237bfe5a59b
- SHA1
  
  494972b016c5e804b9ff2fb1719225c82c86584e
- SHA256
  
  8960471d8fd9a7991440d240baafe31b048b2f68e7999b77e5fe2cffb3c2b90d
- SHA512
  
  09ae6bb5bac3f1feca69e1980cc60a2a28813698bdbeeb0052f2e270978f8566fc2a64e8c6ae1bacbb0283d487be7957d436b0ee23a8749e67f05caee5fea3db
- SSDEEP
  
  12288:SxuVhFOAr1kDr+3WTuU9M4hLajznhBzDwvQne:SAV6Dre9eajbhBw
Score

10^/10

warzonerat evasion infostealer persistence rat upx
- Modifies WinLogon for persistence
  persistence
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets DLL path for service in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratevasioninfostealerpersistenceratupx

behavioral2

warzoneratevasioninfostealerpersistenceratupx

© 2018-2024

Terms | Privacy