warzonerat | dd9152f146a1fef42eeae45f8cad2f675455db4bed38b263fb6bc6b6359071ae | Triage

Submit
Reports

Overview

overview

Static

static

dd9152f146...ae.exe

windows7-x64

dd9152f146...ae.exe

windows10-2004-x64

Sharing

General

Target

dd9152f146a1fef42eeae45f8cad2f675455db4bed38b263fb6bc6b6359071ae
Size

1.8MB
Sample

230326-banncagh6t
MD5

fffdbc2d037fed8cb5fee7042f16331e
SHA1

5844613c31bc7b536547da7e11c922cec7b8d381
SHA256

dd9152f146a1fef42eeae45f8cad2f675455db4bed38b263fb6bc6b6359071ae
SHA512

15e0bc35c1d5f63becba5d637daf3a01cd61dd2c9dbbbc94b1226329449536aaff9f6d544321488a925ebe75be535ed7a56c243be648a3ea4add984a0dbaef26
SSDEEP

12288:L99Vbpgx4OuE+aCpBPY0PkI686WNUfWO6yuXzT5SPlSGN5A7W2FeDSIGVH/KIDg0:J1gg4CppEI6GGfWDkIQDbGV6eH81k1

Score

10^/10

warzonerat evasion infostealer persistence rat

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

dd9152f146a1fef42eeae45f8cad2f675455db4bed38b263fb6bc6b6359071ae.exe

Resource

win7-20230220-en

warzonerat evasion infostealer persistence rat

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

dd9152f146a1fef42eeae45f8cad2f675455db4bed38b263fb6bc6b6359071ae.exe

Resource

win10v2004-20230221-en

warzonerat evasion infostealer persistence rat

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  dd9152f146a1fef42eeae45f8cad2f675455db4bed38b263fb6bc6b6359071ae
- Size
  
  1.8MB
- MD5
  
  fffdbc2d037fed8cb5fee7042f16331e
- SHA1
  
  5844613c31bc7b536547da7e11c922cec7b8d381
- SHA256
  
  dd9152f146a1fef42eeae45f8cad2f675455db4bed38b263fb6bc6b6359071ae
- SHA512
  
  15e0bc35c1d5f63becba5d637daf3a01cd61dd2c9dbbbc94b1226329449536aaff9f6d544321488a925ebe75be535ed7a56c243be648a3ea4add984a0dbaef26
- SSDEEP
  
  12288:L99Vbpgx4OuE+aCpBPY0PkI686WNUfWO6yuXzT5SPlSGN5A7W2FeDSIGVH/KIDg0:J1gg4CppEI6GGfWDkIQDbGV6eH81k1
Score

10^/10

warzonerat evasion infostealer persistence rat
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Modifies Installed Components in the registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratevasioninfostealerpersistencerat

behavioral2

warzoneratevasioninfostealerpersistencerat

© 2018-2024

Terms | Privacy