warzonerat | e0b18b43ed99a197b72b79de7d522eea4eec6cd356d7b185661b171e3cbb4c40 | Triage

Submit
Reports

Overview

overview

Static

static

fd1a4389ae...18.exe

windows7-x64

fd1a4389ae...18.exe

windows10-2004-x64

Sharing

General

Target

fd1a4389ae602d038236500becb9e716_JaffaCakes118
Size

13.0MB
Sample

240420-s55zjsbh63
MD5

fd1a4389ae602d038236500becb9e716
SHA1

07391dfac902cf86854020fc1a869ba40c0a83ed
SHA256

e0b18b43ed99a197b72b79de7d522eea4eec6cd356d7b185661b171e3cbb4c40
SHA512

6e34b60c7aac1ec6b7dbdf810dc0f93a51cd2a0e9d6a337fe7db5066c42ee050d141fe1af05a289f507fff3e01a982ad69197bfbff739e8253f23a3326ed6822
SSDEEP

196608:yU7d9xZSt4U7d9xZStSU7d9xZSt4U7d9xZStD:D7d9xZo7d9xZS7d9xZo7d9xZA

Score

10^/10

warzonerat evasion infostealer persistence rat upx

Static task

static1

rat upx warzonerat

4 signatures

Behavioral task

behavioral1

Sample

fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe

Resource

win7-20240221-en

warzonerat evasion infostealer persistence rat upx

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe

Resource

win10v2004-20240412-en

warzonerat evasion infostealer persistence rat upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  fd1a4389ae602d038236500becb9e716_JaffaCakes118
- Size
  
  13.0MB
- MD5
  
  fd1a4389ae602d038236500becb9e716
- SHA1
  
  07391dfac902cf86854020fc1a869ba40c0a83ed
- SHA256
  
  e0b18b43ed99a197b72b79de7d522eea4eec6cd356d7b185661b171e3cbb4c40
- SHA512
  
  6e34b60c7aac1ec6b7dbdf810dc0f93a51cd2a0e9d6a337fe7db5066c42ee050d141fe1af05a289f507fff3e01a982ad69197bfbff739e8253f23a3326ed6822
- SSDEEP
  
  196608:yU7d9xZSt4U7d9xZStSU7d9xZSt4U7d9xZStD:D7d9xZo7d9xZS7d9xZo7d9xZA
Score

10^/10

warzonerat evasion infostealer persistence rat upx
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Modifies Installed Components in the registry
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

ratupxwarzonerat

behavioral1

warzoneratevasioninfostealerpersistenceratupx

behavioral2

warzoneratevasioninfostealerpersistenceratupx

© 2018-2024

Terms | Privacy