warzonerat | 43e4f5b32d6b7149da6cddf0b59b3758f20e7ec1251b6b0e88a0e3a74967d1c3 | Triage

Sharing

General

Target

test.exe
Size

132KB
Sample

240701-ybqknazaqq
MD5

0c3df708e8a038652d1e524fddef59a9
SHA1

d2666c9438089bd886da4f117a7f95a7dd1b78e9
SHA256

43e4f5b32d6b7149da6cddf0b59b3758f20e7ec1251b6b0e88a0e3a74967d1c3
SHA512

bda314ebb977dc112fd072e5bdc999b91eba220f7eae83497dd8972beace6258d32d51eaf27f2e9ff5c37f3d7e458bbcfc72cc7ce02407fc667446bbf5b7cffd
SSDEEP

3072:K7W9jps0Tx4azG6GweOTir5axbjNCz45LT7a:KwpsERzGKurEXCzeLT7a

Score

10^/10

warzonerat execution infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

people-climbing.gl.at.ply.gg:54251

Targets

- Target
  
  test.exe
- Size
  
  132KB
- MD5
  
  0c3df708e8a038652d1e524fddef59a9
- SHA1
  
  d2666c9438089bd886da4f117a7f95a7dd1b78e9
- SHA256
  
  43e4f5b32d6b7149da6cddf0b59b3758f20e7ec1251b6b0e88a0e3a74967d1c3
- SHA512
  
  bda314ebb977dc112fd072e5bdc999b91eba220f7eae83497dd8972beace6258d32d51eaf27f2e9ff5c37f3d7e458bbcfc72cc7ce02407fc667446bbf5b7cffd
- SSDEEP
  
  3072:K7W9jps0Tx4azG6GweOTir5axbjNCz45LT7a:KwpsERzGKurEXCzeLT7a
Score

10^/10

warzonerat execution infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratexecutioninfostealerpersistencerat