warzonerat | 8eb2f7ab9bab3a18b8e697ade5fa57a70f7200bb442179bb8761b9f2d876345f | Triage

Submit
Reports

Overview

overview

Static

static

1

8eb2f7ab9b...5f.exe

windows7-x64

8eb2f7ab9b...5f.exe

windows10-2004-x64

Sharing

General

Target

8eb2f7ab9bab3a18b8e697ade5fa57a70f7200bb442179bb8761b9f2d876345f.exe
Size

177KB
Sample

230313-hzdb8sba3s
MD5

877f6849ca8eb7a220d7bb64add71f44
SHA1

41550d90774094cc82fce79db394c0bbdaf9c269
SHA256

8eb2f7ab9bab3a18b8e697ade5fa57a70f7200bb442179bb8761b9f2d876345f
SHA512

cc71b1c3fd3fd4ec15a38f4fdb55e99a09964acf740e32b8093fb05ef23454ed4d2daa560db49c23bda1526f267ff292326585f1f06d31aa3bc866d3acbf256c
SSDEEP

3072:2fY/TU9fE9PEtuGbo74DhFVnHNrNRBpAnv++sKXzRHyuOV0AASZv7M5yg7u:gYa6Wo74FnHRBpAn7XzRHyu40AASZ6Ba

Score

10^/10

warzonerat infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

8eb2f7ab9bab3a18b8e697ade5fa57a70f7200bb442179bb8761b9f2d876345f.exe

Resource

win7-20230220-en

warzonerat infostealer persistence rat

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

8eb2f7ab9bab3a18b8e697ade5fa57a70f7200bb442179bb8761b9f2d876345f.exe

Resource

win10v2004-20230220-en

warzonerat infostealer persistence rat

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

macrim.duckdns.org:6269

Targets

- Target
  
  8eb2f7ab9bab3a18b8e697ade5fa57a70f7200bb442179bb8761b9f2d876345f.exe
- Size
  
  177KB
- MD5
  
  877f6849ca8eb7a220d7bb64add71f44
- SHA1
  
  41550d90774094cc82fce79db394c0bbdaf9c269
- SHA256
  
  8eb2f7ab9bab3a18b8e697ade5fa57a70f7200bb442179bb8761b9f2d876345f
- SHA512
  
  cc71b1c3fd3fd4ec15a38f4fdb55e99a09964acf740e32b8093fb05ef23454ed4d2daa560db49c23bda1526f267ff292326585f1f06d31aa3bc866d3acbf256c
- SSDEEP
  
  3072:2fY/TU9fE9PEtuGbo74DhFVnHNrNRBpAnv++sKXzRHyuOV0AASZv7M5yg7u:gYa6Wo74FnHRBpAn7XzRHyu40AASZ6Ba
Score

10^/10

warzonerat infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratinfostealerpersistencerat

behavioral2

warzoneratinfostealerpersistencerat

© 2018-2024

Terms | Privacy