warzonerat | ab0d602717ad9c3085c21ea4cb3bbf53c47c22d74112d7f69fba26efe5cedaf6 | Triage

Submit
Reports

Overview

overview

Static

static

16ab99e0ac...18.exe

windows7-x64

16ab99e0ac...18.exe

windows10-2004-x64

Sharing

General

Target

16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118
Size

1.2MB
Sample

240505-jlxz6abe3x
MD5

16ab99e0ac1897405a4d16b44b29c0af
SHA1

e0e474c2748c474810774622dee6a77e31e58f1a
SHA256

ab0d602717ad9c3085c21ea4cb3bbf53c47c22d74112d7f69fba26efe5cedaf6
SHA512

7dc4494c23b3d9245a1340bd46020172fa5a62c2220e63af63fecf21e6b96503982c89fc2b9d468dce583911b6212243f0fcdfb02f1eeb9fe11f06cc3bc1ca33
SSDEEP

12288:OIbsBDU0I6+Tu0TJ0N1oYgNOFDA7W2FeDSIGVH/KIDgDgUeHbY11kj:OIbGD2JTu0GoZQDbGV6eH81kj

Score

10^/10

warzonerat aspackv2 evasion infostealer persistence rat

Static task

static1

rat aspackv2 warzonerat

4 signatures

Behavioral task

behavioral1

Sample

16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe

Resource

win7-20240221-en

warzonerat aspackv2 evasion infostealer persistence rat

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118.exe

Resource

win10v2004-20240226-en

warzonerat aspackv2 evasion infostealer persistence rat

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  16ab99e0ac1897405a4d16b44b29c0af_JaffaCakes118
- Size
  
  1.2MB
- MD5
  
  16ab99e0ac1897405a4d16b44b29c0af
- SHA1
  
  e0e474c2748c474810774622dee6a77e31e58f1a
- SHA256
  
  ab0d602717ad9c3085c21ea4cb3bbf53c47c22d74112d7f69fba26efe5cedaf6
- SHA512
  
  7dc4494c23b3d9245a1340bd46020172fa5a62c2220e63af63fecf21e6b96503982c89fc2b9d468dce583911b6212243f0fcdfb02f1eeb9fe11f06cc3bc1ca33
- SSDEEP
  
  12288:OIbsBDU0I6+Tu0TJ0N1oYgNOFDA7W2FeDSIGVH/KIDgDgUeHbY11kj:OIbGD2JTu0GoZQDbGV6eH81kj
Score

10^/10

warzonerat aspackv2 evasion infostealer persistence rat
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Modifies Installed Components in the registry
  persistence
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

rataspackv2warzonerat

behavioral1

warzonerataspackv2evasioninfostealerpersistencerat

behavioral2

warzonerataspackv2evasioninfostealerpersistencerat

© 2018-2024

Terms | Privacy