Overview

overview

10

Static

static

3

13a1de9118...10.exe

windows7-x64

10

13a1de9118...10.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9865e960e55907838a0e658e14ef1c70e91583cbe80da963f874df74022eb2bd

  • Size

    516KB

  • Sample

    240417-r3j4mace66

  • MD5

    dc068058ff7d280c16b19b299aff0000

  • SHA1

    c45a1903dd331027cdbfb0344ce9549cfaa972d6

  • SHA256

    9865e960e55907838a0e658e14ef1c70e91583cbe80da963f874df74022eb2bd

  • SHA512

    eda19efce7b28787839afdaa46d36589dc5a75fed13b19699ba555fa15a1e0179a4feeb445bf7bf5aa26d2e0b630fb2df6b9b2299d8e07d15f13cb767ffa1f20

  • SSDEEP

    12288:0OFnEXhLDiC51UwPUpiHhpBIDf5tHwHHVzv55HhwCNQcbqi2cl6:0OFE5AiHXB25tHwVzv/Bb2Eqi2Z

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

173.249.202.75:5200

Targets

    • Target

      13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe

    • Size

      532KB

    • MD5

      bac1beef11c340ae6632b50d2ce1fb80

    • SHA1

      eed74625db691bb0d498afec7b5b376e83bf5ff1

    • SHA256

      13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310

    • SHA512

      1486f2cf857b0f2dbd4717adebe266b86d8efd0d5554751349606d51844bb77e59d85dda5246c414902d2029ef5d6c895ac417fd7d47556978f7f3fd063ac8b6

    • SSDEEP

      12288:XePFLVoq3FMItDhVug2npXPCqCAVzDU17u+vpBze+kkNSLy5eZ870W:XePRVoMFMIt/+FxM7le+3NJi

    Score
    10/10
    warzoneratinfostealerratpersistence

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks