warzonerat | 832275cf002c9434d86af37d429fa2210f432fba8104a6cca66794fa762dc184 | Triage

Submit
Reports

Overview

overview

Static

static

5bf6e26774...18.exe

windows7-x64

5bf6e26774...18.exe

windows10-2004-x64

Sharing

General

Target

5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118
Size

13.0MB
Sample

241019-lfnkms1arm
MD5

5bf6e2677428bf5522ce0e73800d6e4e
SHA1

61b20e748faa569af58c8690e6bd88b4ed723bab
SHA256

832275cf002c9434d86af37d429fa2210f432fba8104a6cca66794fa762dc184
SHA512

bc62b1f8fc35472077d7127052f703141524edd5e93a14985a3645e2d47422858bbc66ea66dd617ffaf48349429dfd0bca321c72571a03ac73b07c2743159894
SSDEEP

196608:yU7d9xZSt4U7d9xZStSU7d9xZSt4U7d9xZStJ:D7d9xZo7d9xZS7d9xZo7d9xZy

Score

10^/10

warzonerat discovery evasion infostealer persistence rat upx

Static task

static1

rat upx warzonerat

4 signatures

Behavioral task

behavioral1

Sample

5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe

Resource

win7-20241010-en

warzonerat discovery infostealer persistence rat upx

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118.exe

Resource

win10v2004-20241007-en

warzonerat discovery evasion infostealer persistence rat upx

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  5bf6e2677428bf5522ce0e73800d6e4e_JaffaCakes118
- Size
  
  13.0MB
- MD5
  
  5bf6e2677428bf5522ce0e73800d6e4e
- SHA1
  
  61b20e748faa569af58c8690e6bd88b4ed723bab
- SHA256
  
  832275cf002c9434d86af37d429fa2210f432fba8104a6cca66794fa762dc184
- SHA512
  
  bc62b1f8fc35472077d7127052f703141524edd5e93a14985a3645e2d47422858bbc66ea66dd617ffaf48349429dfd0bca321c72571a03ac73b07c2743159894
- SSDEEP
  
  196608:yU7d9xZSt4U7d9xZStSU7d9xZSt4U7d9xZStJ:D7d9xZo7d9xZS7d9xZo7d9xZy
Score

10^/10

warzonerat discovery infostealer persistence rat upx evasion
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

ratupxwarzonerat

behavioral1

warzoneratdiscoveryinfostealerpersistenceratupx

behavioral2

warzoneratdiscoveryevasioninfostealerpersistenceratupx

© 2018-2024

Terms | Privacy