warzonerat | e4a09df65e6fa5f2503ee3f5d70ca01ce70242ad5483c321ccd7ffe9ea885519 | Triage

Submit
Reports

Overview

overview

Static

static

3

Bank Copy.exe

windows7-x64

Bank Copy.exe

windows10-2004-x64

Sharing

General

Target

6cbd5ed6f4fd08e4e967f7ecad37f5a0_JaffaCakes118
Size

370KB
Sample

240524-agcnzsed95
MD5

6cbd5ed6f4fd08e4e967f7ecad37f5a0
SHA1

7f34da3920f6248f3e46a71f3cf7eb07f5c65c5f
SHA256

e4a09df65e6fa5f2503ee3f5d70ca01ce70242ad5483c321ccd7ffe9ea885519
SHA512

f840f04a0e6ebb7c5ed31d0d59fd590c73f3dc568194b78d88b74dcb26e28859f64e5c4dbfb060317c099d34ff2972be63cac5dd6ccff160333eb11da2bb142f
SSDEEP

6144:YHYE9ZtsDPmdnTD54OW5pvOfUuNFi0wITUGydwr6yPwWhWAMFmr:Y4NjmdpgppuaCYVwrdP06

Score

10^/10

warzonerat execution infostealer persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Bank Copy.exe

Resource

win7-20240508-en

warzonerat infostealer rat

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

Bank Copy.exe

Resource

win10v2004-20240508-en

warzonerat execution infostealer persistence rat

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

191.101.193.159:3800

Targets

- Target
  
  Bank Copy.exe
- Size
  
  523KB
- MD5
  
  a5bcd2c4a412ec6662a2ad9246ef5f57
- SHA1
  
  d600171e802bf1af82cd5a88484b84787738fe2a
- SHA256
  
  44631c28fe04318faf429139fae5d95554dc1a9c4fd47b2c2ab2e0fff7667271
- SHA512
  
  46e94d7cc180c3141dcb0899e7f67f9ac7d0ffd6a35cd32a62648b5f3b5c2de127495c12683a5fe77f26b9eb435464d38e645625ca70959fcdb724359ac16950
- SSDEEP
  
  12288:e++r1s0nfkxL8UGPpzgCmqqCt/b7ejl2:eRr1s0VR7mG/el2
Score

10^/10

warzonerat infostealer rat execution persistence
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

warzoneratinfostealerrat

behavioral2

warzoneratexecutioninfostealerpersistencerat

© 2018-2024

Terms | Privacy