warzonerat | 9bf132141bbd8a842f487efecf12ca6a4f0bcbaae8aa578480bea2fb95c5bbaf | Triage

Submit
Reports

Overview

overview

Static

static

1d02d54daf...18.exe

windows7-x64

1d02d54daf...18.exe

windows10-2004-x64

Sharing

General

Target

1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118
Size

2.9MB
Sample

240506-r7aezsac62
MD5

1d02d54daf75df2128c2b9bb12682f2b
SHA1

1fc242fe45d6f7fd8fa6f70c9de5cc84db062f11
SHA256

9bf132141bbd8a842f487efecf12ca6a4f0bcbaae8aa578480bea2fb95c5bbaf
SHA512

a17fd2af30c0c1ae276f9dc9e19a2662681a5e215e0bd6ec6d59087ce959661d353ed1bb2e1af1b6f9bc255840616f4280b6cd9d247da68a900cf86414bff7fb
SSDEEP

24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHn:3Ty7A3mw4gxeOw46fUbNecCCFbNecK

Score

10^/10

warzonerat evasion infostealer persistence rat

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe

Resource

win7-20240221-en

warzonerat evasion infostealer persistence rat

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118.exe

Resource

win10v2004-20240419-en

warzonerat evasion infostealer persistence rat

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  1d02d54daf75df2128c2b9bb12682f2b_JaffaCakes118
- Size
  
  2.9MB
- MD5
  
  1d02d54daf75df2128c2b9bb12682f2b
- SHA1
  
  1fc242fe45d6f7fd8fa6f70c9de5cc84db062f11
- SHA256
  
  9bf132141bbd8a842f487efecf12ca6a4f0bcbaae8aa578480bea2fb95c5bbaf
- SHA512
  
  a17fd2af30c0c1ae276f9dc9e19a2662681a5e215e0bd6ec6d59087ce959661d353ed1bb2e1af1b6f9bc255840616f4280b6cd9d247da68a900cf86414bff7fb
- SSDEEP
  
  24576:3Ty7A3mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHn:3Ty7A3mw4gxeOw46fUbNecCCFbNecK
Score

10^/10

warzonerat evasion infostealer persistence rat
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Modifies Installed Components in the registry
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratevasioninfostealerpersistencerat

behavioral2

warzoneratevasioninfostealerpersistencerat

© 2018-2024

Terms | Privacy