warzonerat | 97851f29efbe6376b3178110a93d255cf180cb27beb4998b87356e38813da3c3 | Triage

Submit
Reports

Overview

overview

Static

static

97851f29ef...c3.exe

windows7-x64

97851f29ef...c3.exe

windows10-2004-x64

Sharing

General

Target

97851f29efbe6376b3178110a93d255cf180cb27beb4998b87356e38813da3c3
Size

2.9MB
Sample

240518-ba8zaacb83
MD5

5d6caa17bd3e9f5ae9c70fac8bf8697b
SHA1

4168c07b4049982bf7a819b4ea70af72b1dcc6b8
SHA256

97851f29efbe6376b3178110a93d255cf180cb27beb4998b87356e38813da3c3
SHA512

e516e2c20c97949f409cca053b9d7dc31438dcdfcfc529906167ede2005202daccdbeb003164858acce09095b70fa263c5008163083eb1ce7922f25b4f1b6060
SSDEEP

24576:eTy7ASmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHs:eTy7ASmw4gxeOw46fUbNecCCFbNec3

Score

10^/10

warzonerat evasion infostealer persistence rat

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

97851f29efbe6376b3178110a93d255cf180cb27beb4998b87356e38813da3c3.exe

Resource

win7-20240221-en

warzonerat evasion infostealer persistence rat

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

97851f29efbe6376b3178110a93d255cf180cb27beb4998b87356e38813da3c3.exe

Resource

win10v2004-20240508-en

warzonerat evasion infostealer persistence rat

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Targets

- Target
  
  97851f29efbe6376b3178110a93d255cf180cb27beb4998b87356e38813da3c3
- Size
  
  2.9MB
- MD5
  
  5d6caa17bd3e9f5ae9c70fac8bf8697b
- SHA1
  
  4168c07b4049982bf7a819b4ea70af72b1dcc6b8
- SHA256
  
  97851f29efbe6376b3178110a93d255cf180cb27beb4998b87356e38813da3c3
- SHA512
  
  e516e2c20c97949f409cca053b9d7dc31438dcdfcfc529906167ede2005202daccdbeb003164858acce09095b70fa263c5008163083eb1ce7922f25b4f1b6060
- SSDEEP
  
  24576:eTy7ASmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHs:eTy7ASmw4gxeOw46fUbNecCCFbNec3
Score

10^/10

warzonerat evasion infostealer persistence rat
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Modifies Installed Components in the registry
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

warzoneratevasioninfostealerpersistencerat

behavioral2

warzoneratevasioninfostealerpersistencerat

© 2018-2024

Terms | Privacy