warzonerat | 87290a122227a323a441974647abfd13bacf1aac40d7402145308a6488bea2a3 | Triage

Submit
Reports

Overview

overview

Static

static

87290a1222...3N.exe

windows7-x64

87290a1222...3N.exe

windows10-2004-x64

Sharing

General

Target

87290a122227a323a441974647abfd13bacf1aac40d7402145308a6488bea2a3N.exe
Size

8.9MB
Sample

241218-f91t6svqat
MD5

4f507f36390e3941405eff5cf37e0170
SHA1

15a9717df6aff646c864ec33f68c01559ca0f789
SHA256

87290a122227a323a441974647abfd13bacf1aac40d7402145308a6488bea2a3
SHA512

ae6856da286ecab25c233fad180e4c01996bfb744a149ef424637fffc2f69cfce6269fc735609f09ef77aacdab30e1370505956e22709fc5d99a20274abe9bea
SSDEEP

49152:K1XP6rPbNechC0bNechC0bNecIC0bNechC0bNechC0bNecR:K1+8e8e8f8e8e8s

Score

10^/10

warzonerat discovery evasion infostealer persistence rat

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

87290a122227a323a441974647abfd13bacf1aac40d7402145308a6488bea2a3N.exe

Resource

win7-20241023-en

warzonerat discovery evasion infostealer persistence rat

windows7-x64

17 signatures

120 seconds

Behavioral task

behavioral2

Sample

87290a122227a323a441974647abfd13bacf1aac40d7402145308a6488bea2a3N.exe

Resource

win10v2004-20241007-en

warzonerat discovery evasion infostealer persistence rat

windows10-2004-x64

16 signatures

120 seconds

Malware Config

Targets

- Target
  
  87290a122227a323a441974647abfd13bacf1aac40d7402145308a6488bea2a3N.exe
- Size
  
  8.9MB
- MD5
  
  4f507f36390e3941405eff5cf37e0170
- SHA1
  
  15a9717df6aff646c864ec33f68c01559ca0f789
- SHA256
  
  87290a122227a323a441974647abfd13bacf1aac40d7402145308a6488bea2a3
- SHA512
  
  ae6856da286ecab25c233fad180e4c01996bfb744a149ef424637fffc2f69cfce6269fc735609f09ef77aacdab30e1370505956e22709fc5d99a20274abe9bea
- SSDEEP
  
  49152:K1XP6rPbNechC0bNechC0bNecIC0bNechC0bNechC0bNecR:K1+8e8e8f8e8e8s
Score

10^/10

warzonerat discovery evasion infostealer persistence rat
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzonerat family
  warzonerat
- Warzone RAT payload
  rat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratdiscoveryevasioninfostealerpersistencerat

behavioral2

warzoneratdiscoveryevasioninfostealerpersistencerat

© 2018-2024

Terms | Privacy