warzonerat | 6eece4806c8bf747902d294b848541c47b364d234e0ae5940422cfe6d43b50ae | Triage

Submit
Reports

Overview

overview

Static

static

05ed34336a...18.exe

windows7-x64

05ed34336a...18.exe

windows10-2004-x64

Sharing

General

Target

05ed34336a57c32067b70dad6ed34053_JaffaCakes118
Size

2.9MB
Sample

240428-ydw58afg5t
MD5

05ed34336a57c32067b70dad6ed34053
SHA1

1fb2309fb291e65b7597638a55d1891cb90d26d7
SHA256

6eece4806c8bf747902d294b848541c47b364d234e0ae5940422cfe6d43b50ae
SHA512

9e2306065c70ae266ba96d1d2d83081ffa89e300f88a41ed786645a6cffd6031362885850461caee9069578755631901def0421fc32e21e29908c49e159f9666
SSDEEP

24576:ATU7AAmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHx:ATU7AAmw4gxeOw46fUbNecCCFbNecG

Score

10^/10

warzonerat evasion infostealer persistence rat upx

Static task

static1

rat upx warzonerat

4 signatures

Behavioral task

behavioral1

Sample

05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe

Resource

win7-20240215-en

warzonerat evasion infostealer persistence rat upx

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

05ed34336a57c32067b70dad6ed34053_JaffaCakes118.exe

Resource

win10v2004-20240426-en

warzonerat evasion infostealer persistence rat upx

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Targets

- Target
  
  05ed34336a57c32067b70dad6ed34053_JaffaCakes118
- Size
  
  2.9MB
- MD5
  
  05ed34336a57c32067b70dad6ed34053
- SHA1
  
  1fb2309fb291e65b7597638a55d1891cb90d26d7
- SHA256
  
  6eece4806c8bf747902d294b848541c47b364d234e0ae5940422cfe6d43b50ae
- SHA512
  
  9e2306065c70ae266ba96d1d2d83081ffa89e300f88a41ed786645a6cffd6031362885850461caee9069578755631901def0421fc32e21e29908c49e159f9666
- SSDEEP
  
  24576:ATU7AAmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHx:ATU7AAmw4gxeOw46fUbNecCCFbNecG
Score

10^/10

warzonerat evasion infostealer persistence rat upx
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Modifies Installed Components in the registry
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

ratupxwarzonerat

behavioral1

warzoneratevasioninfostealerpersistenceratupx

behavioral2

warzoneratevasioninfostealerpersistenceratupx

© 2018-2024

Terms | Privacy