warzonerat | 7d3323da32cb30fed5acbc1b1e0f053ee43d111a5c354c3bae95d580e54a7e79 | Triage

Submit
Reports

Overview

overview

Static

static

3

dbcfc21ffa...18.exe

windows7-x64

1

dbcfc21ffa...18.exe

windows10-2004-x64

Sharing

General

Target

dbcfc21ffafc545f171df65dd419682a_JaffaCakes118
Size

940KB
Sample

240406-flayvabh34
MD5

dbcfc21ffafc545f171df65dd419682a
SHA1

7801722cb68ba9b3d5af59f9faa70277b530a9c0
SHA256

7d3323da32cb30fed5acbc1b1e0f053ee43d111a5c354c3bae95d580e54a7e79
SHA512

61a3da4da4217936965077772274ad1b1fd6db0005525704ced2b36d6f2543810dd2b69c727606b1ecc9e98be07d1524613f1737a773c005d377cb30663221bf
SSDEEP

12288:HCyhPc4hbmOwD71tJha6QSGYlrVs8tBnqRrfgwNaSctMXe:HCak8bmOKhtPUY8bxsMO

Score

10^/10

warzonerat agilenet infostealer persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

dbcfc21ffafc545f171df65dd419682a_JaffaCakes118.exe

Resource

win7-20240215-en

windows7-x64

1 signatures

150 seconds

Behavioral task

behavioral2

Sample

dbcfc21ffafc545f171df65dd419682a_JaffaCakes118.exe

Resource

win10v2004-20240226-en

warzonerat agilenet infostealer persistence rat trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

pastorcc.duckdns.org:2223

Targets

- Target
  
  dbcfc21ffafc545f171df65dd419682a_JaffaCakes118
- Size
  
  940KB
- MD5
  
  dbcfc21ffafc545f171df65dd419682a
- SHA1
  
  7801722cb68ba9b3d5af59f9faa70277b530a9c0
- SHA256
  
  7d3323da32cb30fed5acbc1b1e0f053ee43d111a5c354c3bae95d580e54a7e79
- SHA512
  
  61a3da4da4217936965077772274ad1b1fd6db0005525704ced2b36d6f2543810dd2b69c727606b1ecc9e98be07d1524613f1737a773c005d377cb30663221bf
- SSDEEP
  
  12288:HCyhPc4hbmOwD71tJha6QSGYlrVs8tBnqRrfgwNaSctMXe:HCak8bmOKhtPUY8bxsMO
Score

10^/10

warzonerat agilenet infostealer persistence rat trojan
- Detects BazaLoader malware
  BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
  trojan
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

warzoneratagilenetinfostealerpersistencerattrojan

© 2018-2024

Terms | Privacy