warzonerat | 93983480e656ab227ef8c96b10fa2360ca628bc34689d05d6483a87a8b3af014 | Triage

Submit
Reports

Overview

overview

Static

static

3

1768a22ad0...18.exe

windows7-x64

1768a22ad0...18.exe

windows10-2004-x64

Sharing

General

Target

1768a22ad081724971c9a709488d41d3_JaffaCakes118
Size

377KB
Sample

240505-nbfeksbf24
MD5

1768a22ad081724971c9a709488d41d3
SHA1

a180bfc90402a3cd3656c2a5a2ba876987e055b4
SHA256

93983480e656ab227ef8c96b10fa2360ca628bc34689d05d6483a87a8b3af014
SHA512

ee173b87e207c655990b8a26791a6150b13177786ba1bc6d04fc467bf0fdf219f996ab5d2e9599f9de323744ebc981a79f38f162051ffed5ae141a763a0564d0
SSDEEP

6144:vAiuocJAT7f5t3FiyvaKS9zAUNwu+Tb6Z45AqP87KW40:Yiu5Juv1iyvaKHUf+fcgzyKf0

Score

10^/10

warzonerat infostealer persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe

Resource

win7-20231129-en

warzonerat infostealer persistence rat

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

1768a22ad081724971c9a709488d41d3_JaffaCakes118.exe

Resource

win10v2004-20240419-en

warzonerat infostealer persistence rat

windows10-2004-x64

6 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

stoic.gleeze.com:5200

Targets

- Target
  
  1768a22ad081724971c9a709488d41d3_JaffaCakes118
- Size
  
  377KB
- MD5
  
  1768a22ad081724971c9a709488d41d3
- SHA1
  
  a180bfc90402a3cd3656c2a5a2ba876987e055b4
- SHA256
  
  93983480e656ab227ef8c96b10fa2360ca628bc34689d05d6483a87a8b3af014
- SHA512
  
  ee173b87e207c655990b8a26791a6150b13177786ba1bc6d04fc467bf0fdf219f996ab5d2e9599f9de323744ebc981a79f38f162051ffed5ae141a763a0564d0
- SSDEEP
  
  6144:vAiuocJAT7f5t3FiyvaKS9zAUNwu+Tb6Z45AqP87KW40:Yiu5Juv1iyvaKHUf+fcgzyKf0
Score

10^/10

warzonerat infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratinfostealerpersistencerat

behavioral2

warzoneratinfostealerpersistencerat

© 2018-2024

Terms | Privacy