warzonerat | e4f54bbd59b269cffb0d0bf1a4ac0f37d931af813c9944991cc7dbeb9bffcd6b | Triage

Submit
Reports

Overview

overview

Static

static

3

128b26f383...18.exe

windows7-x64

128b26f383...18.exe

windows10-2004-x64

Sharing

General

Target

128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118
Size

1.6MB
Sample

240504-nnc5zscg4y
MD5

128b26f383a1f6bb071df23e1cfb82af
SHA1

c9dab1c522d5cff0defb801acf634d948384e79e
SHA256

e4f54bbd59b269cffb0d0bf1a4ac0f37d931af813c9944991cc7dbeb9bffcd6b
SHA512

a2003412b7cd56e5d418de7564e00ff873235350d81e540f57be4f6eb47e001e1674be509f70b78dff1db288fa0fe9d7856b7f4ebc9ff7c94f6cbc4c55ea0b2b
SSDEEP

24576:Pj2iZXSjoekb9TXahIoFRFGM/SJLMJ3GAOxW4PLSf:ejoekb9LYIWRdSuFShPLSf

Score

10^/10

warzonerat execution infostealer persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe

Resource

win7-20240221-en

warzonerat execution infostealer persistence rat

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118.exe

Resource

win10v2004-20240419-en

warzonerat execution infostealer persistence rat

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

dultrasolutions.duckdns.org:7171

Targets

- Target
  
  128b26f383a1f6bb071df23e1cfb82af_JaffaCakes118
- Size
  
  1.6MB
- MD5
  
  128b26f383a1f6bb071df23e1cfb82af
- SHA1
  
  c9dab1c522d5cff0defb801acf634d948384e79e
- SHA256
  
  e4f54bbd59b269cffb0d0bf1a4ac0f37d931af813c9944991cc7dbeb9bffcd6b
- SHA512
  
  a2003412b7cd56e5d418de7564e00ff873235350d81e540f57be4f6eb47e001e1674be509f70b78dff1db288fa0fe9d7856b7f4ebc9ff7c94f6cbc4c55ea0b2b
- SSDEEP
  
  24576:Pj2iZXSjoekb9TXahIoFRFGM/SJLMJ3GAOxW4PLSf:ejoekb9LYIWRdSuFShPLSf
Score

10^/10

warzonerat execution infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratexecutioninfostealerpersistencerat

behavioral2

warzoneratexecutioninfostealerpersistencerat

© 2018-2024

Terms | Privacy