warzonerat | 35b63e2651d67b817e0dfb73e57bfab1d309536482904e310dc624ea3543dd4f | Triage

Submit
Reports

Overview

overview

Static

static

35b63e2651...cs.exe

windows7-x64

35b63e2651...cs.exe

windows10-2004-x64

Sharing

General

Target

35b63e2651d67b817e0dfb73e57bfab1d309536482904e310dc624ea3543dd4f_NeikiAnalytics
Size

1.8MB
Sample

240521-mev4rsaa5w
MD5

745bf86147d8971791dffabd3d6b15e0
SHA1

53870b0751f9caba2886810f71935e54e5ed8676
SHA256

35b63e2651d67b817e0dfb73e57bfab1d309536482904e310dc624ea3543dd4f
SHA512

cfd01deb56a89fdca2a60cc1058ef915e9e33b5b47d62f827b232e1887e0f432c530eec6b0aeb99313003db1964651df5dcc305a91bb2cdf70ed88a70738000e
SSDEEP

12288:L99Vbpgx4OuE+aCpBPY0PkI686WNUfWO6yuXzT5SPlSGN5A7W2FeDSIGVH/KIDgj:J1gg4CppEI6GGfWDkIQDbGV6eH81ke

Score

10^/10

warzonerat evasion infostealer persistence rat

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

35b63e2651d67b817e0dfb73e57bfab1d309536482904e310dc624ea3543dd4f_NeikiAnalytics.exe

Resource

win7-20240220-en

warzonerat evasion infostealer persistence rat

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

35b63e2651d67b817e0dfb73e57bfab1d309536482904e310dc624ea3543dd4f_NeikiAnalytics.exe

Resource

win10v2004-20240508-en

warzonerat evasion infostealer persistence rat

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  35b63e2651d67b817e0dfb73e57bfab1d309536482904e310dc624ea3543dd4f_NeikiAnalytics
- Size
  
  1.8MB
- MD5
  
  745bf86147d8971791dffabd3d6b15e0
- SHA1
  
  53870b0751f9caba2886810f71935e54e5ed8676
- SHA256
  
  35b63e2651d67b817e0dfb73e57bfab1d309536482904e310dc624ea3543dd4f
- SHA512
  
  cfd01deb56a89fdca2a60cc1058ef915e9e33b5b47d62f827b232e1887e0f432c530eec6b0aeb99313003db1964651df5dcc305a91bb2cdf70ed88a70738000e
- SSDEEP
  
  12288:L99Vbpgx4OuE+aCpBPY0PkI686WNUfWO6yuXzT5SPlSGN5A7W2FeDSIGVH/KIDgj:J1gg4CppEI6GGfWDkIQDbGV6eH81ke
Score

10^/10

warzonerat evasion infostealer persistence rat
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Modifies Installed Components in the registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

warzoneratevasioninfostealerpersistencerat

behavioral2

warzoneratevasioninfostealerpersistencerat

© 2018-2024

Terms | Privacy