warzonerat | 07d9230fbaed91a6d5151284d6d5feecf0a3d77a47a06ecb88d7695a720a8851 | Triage

Submit
Reports

Overview

overview

Static

static

8ef069f8a5...cs.exe

windows7-x64

8ef069f8a5...cs.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

8ef069f8a5afbf67430e32fe8abfd700_NeikiAnalytics.exe
Size

1.8MB
Sample

240601-fzlx9sbg72
MD5

8ef069f8a5afbf67430e32fe8abfd700
SHA1

95cbfc3eeeccaa9c0b923a6d58cd68d50c808c62
SHA256

07d9230fbaed91a6d5151284d6d5feecf0a3d77a47a06ecb88d7695a720a8851
SHA512

10e4ee7c7aac35937fa4dbc35c87ac89c754de43dc8c9d604fa2c839d62833bb10228462134da6e1ef0fab3e1d4a108705b60940ca336cdc4b63b1f33e0fd046
SSDEEP

12288:i254f/VAuj79umm3xR0lq+X6kOyeXiYxewRJBWW59qA7W2FeDSIGVH/KIDgDgUen:x+D9uVMpjOyerrFQDbGV6eH81kz

Score

10^/10

warzonerat evasion infostealer persistence rat

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

8ef069f8a5afbf67430e32fe8abfd700_NeikiAnalytics.exe

Resource

win7-20240221-en

warzonerat evasion infostealer persistence rat

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

8ef069f8a5afbf67430e32fe8abfd700_NeikiAnalytics.exe

Resource

win10v2004-20240508-en

warzonerat evasion infostealer persistence rat

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  8ef069f8a5afbf67430e32fe8abfd700_NeikiAnalytics.exe
- Size
  
  1.8MB
- MD5
  
  8ef069f8a5afbf67430e32fe8abfd700
- SHA1
  
  95cbfc3eeeccaa9c0b923a6d58cd68d50c808c62
- SHA256
  
  07d9230fbaed91a6d5151284d6d5feecf0a3d77a47a06ecb88d7695a720a8851
- SHA512
  
  10e4ee7c7aac35937fa4dbc35c87ac89c754de43dc8c9d604fa2c839d62833bb10228462134da6e1ef0fab3e1d4a108705b60940ca336cdc4b63b1f33e0fd046
- SSDEEP
  
  12288:i254f/VAuj79umm3xR0lq+X6kOyeXiYxewRJBWW59qA7W2FeDSIGVH/KIDgDgUen:x+D9uVMpjOyerrFQDbGV6eH81kz
Score

10^/10

warzonerat evasion infostealer persistence rat
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Modifies Installed Components in the registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratevasioninfostealerpersistencerat

behavioral2

warzoneratevasioninfostealerpersistencerat

© 2018-2025

Terms | Privacy