warzonerat | f507336abc0d9c301b6b7103c6be90ea15121b937e6385091e712a4f22ddc782 | Triage

Submit
Reports

Overview

overview

Static

static

3

fed9ab5b21...18.exe

windows7-x64

fed9ab5b21...18.exe

windows10-2004-x64

Sharing

General

Target

fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118
Size

1.3MB
Sample

240421-j73grsfc6y
MD5

fed9ab5b2162b76ab5d83a9bf07342b3
SHA1

0dd925c9fc2ee6b95d760d184326f32b681ffd49
SHA256

f507336abc0d9c301b6b7103c6be90ea15121b937e6385091e712a4f22ddc782
SHA512

56cff7e236ccc12df18a9b9c903e2aee4aba4838d1190551d86af68bddc38aab4de7ac8f8adca995bb7446ed49280efd9dc9270048150b59fdf78203e76478df
SSDEEP

24576:vJjAKND1LIQgBPiXcDvWEAU07P2vIBzjoR:vJjN9IQEiXcUo

Score

10^/10

warzonerat zgrat infostealer persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe

Resource

win7-20240221-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118.exe

Resource

win10v2004-20240412-en

warzonerat zgrat infostealer persistence rat

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

andronmatskiv20.sytes.net:5200

Targets

- Target
  
  fed9ab5b2162b76ab5d83a9bf07342b3_JaffaCakes118
- Size
  
  1.3MB
- MD5
  
  fed9ab5b2162b76ab5d83a9bf07342b3
- SHA1
  
  0dd925c9fc2ee6b95d760d184326f32b681ffd49
- SHA256
  
  f507336abc0d9c301b6b7103c6be90ea15121b937e6385091e712a4f22ddc782
- SHA512
  
  56cff7e236ccc12df18a9b9c903e2aee4aba4838d1190551d86af68bddc38aab4de7ac8f8adca995bb7446ed49280efd9dc9270048150b59fdf78203e76478df
- SSDEEP
  
  24576:vJjAKND1LIQgBPiXcDvWEAU07P2vIBzjoR:vJjN9IQEiXcUo
Score

10^/10

zgrat rat warzonerat infostealer persistence
- Detect ZGRat V1
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Warzone RAT payload
  rat
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

warzoneratzgratinfostealerpersistencerat

© 2018-2024

Terms | Privacy