warzonerat | eb508dd16e3181fcb87e35f363a62ac67c3851b414b20d7e83825733cf4dc56d | Triage

Submit
Reports

Overview

overview

Static

static

1

5a39f9dbd5...60.exe

windows7-x64

5a39f9dbd5...60.exe

windows10-2004-x64

Sharing

General

Target

5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.zip
Size

164KB
Sample

230321-qplvmaae37
MD5

04c7a45184c4ac326d97fda239411d20
SHA1

f3b8622942897339ed4b02e33bbd6ae3196df7b6
SHA256

eb508dd16e3181fcb87e35f363a62ac67c3851b414b20d7e83825733cf4dc56d
SHA512

362d8313cf0805e8137b233dce3ec96a253f5ab3f91ee67e095f920acfdbb2acda0ecc7e20be2510704f33de9df303f0614222b6ece01a34937bb3687a32cbde
SSDEEP

3072:svVb1lXfJdrvZUX/sWuZm+sOJraBUdHdwpLL9cMGK5ShNcZOvanLcJ:sdHfHZLWybJraBUd9wpHGbW5QJ

Score

10^/10

warzonerat infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exe

Resource

win7-20230220-en

warzonerat infostealer persistence rat

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exe

Resource

win10v2004-20230220-en

warzonerat infostealer persistence rat

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

macking.duckdns.org:1104

Targets

- Target
  
  5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exe
- Size
  
  202KB
- MD5
  
  05ca94d88d462bef2458ec93ed42df23
- SHA1
  
  bc749bbfef60caac3ae0a3b6324767532c9e43dd
- SHA256
  
  5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260
- SHA512
  
  b88729322928ce573c93cfdee9979bea525902fa71c96c5f43ca2370ca3d841b4708e89b5205a4404dc9af36526e5ca8b719d08c1bfc663358b799e492efa923
- SSDEEP
  
  3072:2fY/TU9fE9PEtu9brXRHwio/QbIFBo93nmpeBTJ1N+Mmc/8CWbqQZU8hbpUVS:gYa6TrFH3kE92pe9Jx/ZWbqunhKVS
Score

10^/10

warzonerat infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratinfostealerpersistencerat

behavioral2

warzoneratinfostealerpersistencerat

© 2018-2024

Terms | Privacy