warzonerat | 134cc82d1702f6af49b36b9404a26069bd655bbd1a7659c9412f85be2a502532 | Triage

Submit
Reports

Overview

overview

Static

static

1cea1b0ce3...cs.exe

windows7-x64

1cea1b0ce3...cs.exe

windows10-2004-x64

Sharing

General

Target

1cea1b0ce3822658c165bcb1c80929b0_NeikiAnalytics.exe
Size

4.5MB
Sample

240518-v4er3sfa83
MD5

1cea1b0ce3822658c165bcb1c80929b0
SHA1

9bd12ce0d114447cbcfb68aa8429f51d4b08c797
SHA256

134cc82d1702f6af49b36b9404a26069bd655bbd1a7659c9412f85be2a502532
SHA512

14123a26a2fc3846c9e8b87d4d215b08c61c024e688a023fa20d168ee807a3a8589935bc596aa0fa1bc82453a043fae363049cd51a955de73edd9ec3a56486c3
SSDEEP

24576:K1gg4CppEI6GGfWDkOQDbGV6eH8tkxIbGD2JTu0GoWQDbGV6eH8tkxIbGD2JTu0L:K1XP6rPbNechC0bNechC0bNecl

Score

10^/10

warzonerat evasion infostealer persistence rat

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

1cea1b0ce3822658c165bcb1c80929b0_NeikiAnalytics.exe

Resource

win7-20240220-en

warzonerat evasion infostealer persistence rat

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

1cea1b0ce3822658c165bcb1c80929b0_NeikiAnalytics.exe

Resource

win10v2004-20240508-en

warzonerat evasion infostealer persistence rat

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  1cea1b0ce3822658c165bcb1c80929b0_NeikiAnalytics.exe
- Size
  
  4.5MB
- MD5
  
  1cea1b0ce3822658c165bcb1c80929b0
- SHA1
  
  9bd12ce0d114447cbcfb68aa8429f51d4b08c797
- SHA256
  
  134cc82d1702f6af49b36b9404a26069bd655bbd1a7659c9412f85be2a502532
- SHA512
  
  14123a26a2fc3846c9e8b87d4d215b08c61c024e688a023fa20d168ee807a3a8589935bc596aa0fa1bc82453a043fae363049cd51a955de73edd9ec3a56486c3
- SSDEEP
  
  24576:K1gg4CppEI6GGfWDkOQDbGV6eH8tkxIbGD2JTu0GoWQDbGV6eH8tkxIbGD2JTu0L:K1XP6rPbNechC0bNechC0bNecl
Score

10^/10

warzonerat evasion infostealer persistence rat
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Modifies Installed Components in the registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

warzoneratevasioninfostealerpersistencerat

behavioral2

warzoneratevasioninfostealerpersistencerat

© 2018-2024

Terms | Privacy