warzonerat | 17feb12c1d7accb3247122aee35d0f6f1ff23b25f25d6ca0ec04d6dd83f6e734 | Triage

Sharing

General

Target

17feb12c1d7accb3247122aee35d0f6f1ff23b25f25d6ca0ec04d6dd83f6e734N
Size

2.9MB
Sample

241111-zaqppswcjh
MD5

dc6746e1dcf9b37173b4998bbae901b0
SHA1

67bd1c7cc4a1aac1dea4cf893d528ad5a9e8071f
SHA256

17feb12c1d7accb3247122aee35d0f6f1ff23b25f25d6ca0ec04d6dd83f6e734
SHA512

e706b7b19acd9a7f54a5da36cd9aef4335a39007fb85fa12f41fd700deb520289bebf090600976e92b1ef36d80626e54e128428670e74dcd6469dfb24499038a
SSDEEP

24576:eTy7ASmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHp:eTy7ASmw4gxeOw46fUbNecCCFbNecc

Score

10^/10

warzonerat discovery evasion infostealer persistence rat

Malware Config

Targets

- Target
  
  17feb12c1d7accb3247122aee35d0f6f1ff23b25f25d6ca0ec04d6dd83f6e734N
- Size
  
  2.9MB
- MD5
  
  dc6746e1dcf9b37173b4998bbae901b0
- SHA1
  
  67bd1c7cc4a1aac1dea4cf893d528ad5a9e8071f
- SHA256
  
  17feb12c1d7accb3247122aee35d0f6f1ff23b25f25d6ca0ec04d6dd83f6e734
- SHA512
  
  e706b7b19acd9a7f54a5da36cd9aef4335a39007fb85fa12f41fd700deb520289bebf090600976e92b1ef36d80626e54e128428670e74dcd6469dfb24499038a
- SSDEEP
  
  24576:eTy7ASmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHp:eTy7ASmw4gxeOw46fUbNecCCFbNecc
Score

10^/10

warzonerat discovery evasion infostealer persistence rat
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzonerat family
  warzonerat
- Warzone RAT payload
  rat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratdiscoveryevasioninfostealerpersistencerat

behavioral2

warzoneratdiscoveryevasioninfostealerpersistencerat