warzonerat | 07c4b3390aacf7d40aa2c6d3df6d4b71663f6b01c8987512c5947d7bd5f82eb4 | Triage

Sharing

General

Target

07c4b3390aacf7d40aa2c6d3df6d4b71663f6b01c8987512c5947d7bd5f82eb4
Size

132KB
Sample

240925-gb4nva1cnc
MD5

b7f9960d9d6e67c078628f111f39c75c
SHA1

946b890a0dc313b9890a2dbcb93cd0ccd9f94e1e
SHA256

07c4b3390aacf7d40aa2c6d3df6d4b71663f6b01c8987512c5947d7bd5f82eb4
SHA512

a8804b61f93e275ac5ea25d1f048ccef51ea0712d956fb26b697ad1b3be07baf8a3d54825d3ac876e9595e9c0fdaa4e57c315ad8a89201ef04ab6ffa22accabe
SSDEEP

3072:K7W9jps0Tx4azG6GweOTir5axbjNCz45LT7a:KwpsERzGKurEXCzeLT7a

Score

10^/10

warzonerat discovery execution infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

0.tcp.ngrok.io:5200

Targets

- Target
  
  07c4b3390aacf7d40aa2c6d3df6d4b71663f6b01c8987512c5947d7bd5f82eb4
- Size
  
  132KB
- MD5
  
  b7f9960d9d6e67c078628f111f39c75c
- SHA1
  
  946b890a0dc313b9890a2dbcb93cd0ccd9f94e1e
- SHA256
  
  07c4b3390aacf7d40aa2c6d3df6d4b71663f6b01c8987512c5947d7bd5f82eb4
- SHA512
  
  a8804b61f93e275ac5ea25d1f048ccef51ea0712d956fb26b697ad1b3be07baf8a3d54825d3ac876e9595e9c0fdaa4e57c315ad8a89201ef04ab6ffa22accabe
- SSDEEP
  
  3072:K7W9jps0Tx4azG6GweOTir5axbjNCz45LT7a:KwpsERzGKurEXCzeLT7a
Score

10^/10

warzonerat discovery execution infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratdiscoveryexecutioninfostealerpersistencerat

behavioral2

warzoneratdiscoveryexecutioninfostealerpersistencerat