warzonerat | aaf55d748b8854f02dfeec78839b51b8b4eb404846fd8afe019ccf521bf5f746 | Triage

Submit
Reports

Overview

overview

Static

static

3

87d5c387c3...18.exe

windows7-x64

87d5c387c3...18.exe

windows10-2004-x64

Sharing

General

Target

87d5c387c363d12da2820e403d03c8b3_JaffaCakes118
Size

1.7MB
Sample

240531-wh5baafg6y
MD5

87d5c387c363d12da2820e403d03c8b3
SHA1

5c37c95ddf2bdbf470f98088e061047f6acc506f
SHA256

aaf55d748b8854f02dfeec78839b51b8b4eb404846fd8afe019ccf521bf5f746
SHA512

2e43f491bdf17bbcca1b183cd17aeefe01b873654ddb72dc42686cc475ed834b62664a8ff5d95584fd814420041e6a1adc858ef783efc75d9ba46f1b8d77358a
SSDEEP

6144:tS7ErGlSI2izLoZKhb1xhfyC55nuvYxRRAOhVxndeCiy:U7EalzzLSKhxvf/nuvYxRRjgLy

Score

10^/10

warzonerat discovery execution infostealer persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe

Resource

win7-20240221-en

warzonerat execution infostealer persistence rat

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

87d5c387c363d12da2820e403d03c8b3_JaffaCakes118.exe

Resource

win10v2004-20240508-en

warzonerat discovery execution infostealer persistence rat

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

79.134.225.105:5200

Targets

- Target
  
  87d5c387c363d12da2820e403d03c8b3_JaffaCakes118
- Size
  
  1.7MB
- MD5
  
  87d5c387c363d12da2820e403d03c8b3
- SHA1
  
  5c37c95ddf2bdbf470f98088e061047f6acc506f
- SHA256
  
  aaf55d748b8854f02dfeec78839b51b8b4eb404846fd8afe019ccf521bf5f746
- SHA512
  
  2e43f491bdf17bbcca1b183cd17aeefe01b873654ddb72dc42686cc475ed834b62664a8ff5d95584fd814420041e6a1adc858ef783efc75d9ba46f1b8d77358a
- SSDEEP
  
  6144:tS7ErGlSI2izLoZKhb1xhfyC55nuvYxRRAOhVxndeCiy:U7EalzzLSKhxvf/nuvYxRRjgLy
Score

10^/10

warzonerat execution infostealer persistence rat discovery
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

warzoneratexecutioninfostealerpersistencerat

behavioral2

warzoneratdiscoveryexecutioninfostealerpersistencerat

© 2018-2024

Terms | Privacy