warzonerat | f5cc32923c33c8a2c160410e80726f1055856955178cb88924f1fb57adcd6647 | Triage

Submit
Reports

Overview

overview

Static

static

0b9c7e91c7...18.exe

windows7-x64

0b9c7e91c7...18.exe

windows10-2004-x64

Sharing

General

Target

0b9c7e91c761c5aba3bb663d76f1074e_JaffaCakes118
Size

2.9MB
Sample

240501-mz23tafd73
MD5

0b9c7e91c761c5aba3bb663d76f1074e
SHA1

971b7bd3127fe6a8c4c6a55f52ebcc26c8bf731c
SHA256

f5cc32923c33c8a2c160410e80726f1055856955178cb88924f1fb57adcd6647
SHA512

c5c8921939d368c7038b3df1f5ff191965e55f4bf368c09ac7c73da4d179e8e24f1c789ec3d5d3c1b6e77c71b8e4c3d6b3d0ceb831e7cf013d8d85487784d355
SSDEEP

24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH5:3Ty7A3mw4gxeOw46fUbNecCCFbNecM

Score

10^/10

warzonerat evasion infostealer persistence rat

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

0b9c7e91c761c5aba3bb663d76f1074e_JaffaCakes118.exe

Resource

win7-20240215-en

warzonerat evasion infostealer persistence rat

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

0b9c7e91c761c5aba3bb663d76f1074e_JaffaCakes118.exe

Resource

win10v2004-20240419-en

warzonerat evasion infostealer persistence rat

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  0b9c7e91c761c5aba3bb663d76f1074e_JaffaCakes118
- Size
  
  2.9MB
- MD5
  
  0b9c7e91c761c5aba3bb663d76f1074e
- SHA1
  
  971b7bd3127fe6a8c4c6a55f52ebcc26c8bf731c
- SHA256
  
  f5cc32923c33c8a2c160410e80726f1055856955178cb88924f1fb57adcd6647
- SHA512
  
  c5c8921939d368c7038b3df1f5ff191965e55f4bf368c09ac7c73da4d179e8e24f1c789ec3d5d3c1b6e77c71b8e4c3d6b3d0ceb831e7cf013d8d85487784d355
- SSDEEP
  
  24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH5:3Ty7A3mw4gxeOw46fUbNecCCFbNecM
Score

10^/10

warzonerat evasion infostealer persistence rat
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Modifies Installed Components in the registry
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratevasioninfostealerpersistencerat

behavioral2

warzoneratevasioninfostealerpersistencerat

© 2018-2024

Terms | Privacy