warzonerat | 1944aa15e6db8e3b416928e5b07218e2a76f2bfc7dae93b569d7667a0d06c5ed | Triage

Submit
Reports

Overview

overview

Static

static

01a5564b07...18.exe

windows7-x64

01a5564b07...18.exe

windows10-2004-x64

Sharing

General

Target

01a5564b07b078451e2f79255fc8aea7_JaffaCakes118
Size

1.2MB
Sample

240426-zqmmzsca73
MD5

01a5564b07b078451e2f79255fc8aea7
SHA1

a9aa517798657dbd549eac4cb838bfd6185ef852
SHA256

1944aa15e6db8e3b416928e5b07218e2a76f2bfc7dae93b569d7667a0d06c5ed
SHA512

a249dcd9283a42ec837896cfb89c1ae375a97739bfa01df525b2699e154b53b4c247d071fe8f6aeac7810eadaf3cca05303e196d03e021ae750e963102ced9c9
SSDEEP

12288:OIbsBDU0I6+Tu0TJ0N1oYgNOFDA7W2FeDSIGVH/KIDgDgUeHbY11k2:OIbGD2JTu0GoZQDbGV6eH81k2

Score

10^/10

warzonerat aspackv2 evasion infostealer persistence rat

Static task

static1

rat aspackv2 warzonerat

4 signatures

Behavioral task

behavioral1

Sample

01a5564b07b078451e2f79255fc8aea7_JaffaCakes118.exe

Resource

win7-20240419-en

warzonerat aspackv2 evasion infostealer persistence rat

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

01a5564b07b078451e2f79255fc8aea7_JaffaCakes118.exe

Resource

win10v2004-20240419-en

warzonerat aspackv2 evasion infostealer persistence rat

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  01a5564b07b078451e2f79255fc8aea7_JaffaCakes118
- Size
  
  1.2MB
- MD5
  
  01a5564b07b078451e2f79255fc8aea7
- SHA1
  
  a9aa517798657dbd549eac4cb838bfd6185ef852
- SHA256
  
  1944aa15e6db8e3b416928e5b07218e2a76f2bfc7dae93b569d7667a0d06c5ed
- SHA512
  
  a249dcd9283a42ec837896cfb89c1ae375a97739bfa01df525b2699e154b53b4c247d071fe8f6aeac7810eadaf3cca05303e196d03e021ae750e963102ced9c9
- SSDEEP
  
  12288:OIbsBDU0I6+Tu0TJ0N1oYgNOFDA7W2FeDSIGVH/KIDgDgUeHbY11k2:OIbGD2JTu0GoZQDbGV6eH81k2
Score

10^/10

warzonerat aspackv2 evasion infostealer persistence rat
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Modifies Installed Components in the registry
  persistence
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

rataspackv2warzonerat

behavioral1

warzonerataspackv2evasioninfostealerpersistencerat

behavioral2

warzonerataspackv2evasioninfostealerpersistencerat

© 2018-2024

Terms | Privacy