warzonerat | a2f25508bf1afda77068376b2ff8418e18a089bf2dfa31df58bf3428eb8b5477 | Triage

Submit
Reports

Overview

overview

Static

static

3

0186ebe5d9...18.exe

windows7-x64

0186ebe5d9...18.exe

windows10-2004-x64

Sharing

General

Target

0186ebe5d9283ebf5468d6e6aa43ad07_JaffaCakes118
Size

297KB
Sample

240622-lz42qsshlb
MD5

0186ebe5d9283ebf5468d6e6aa43ad07
SHA1

e64ea76a4c8aed4ff374814cfc912181ab159717
SHA256

a2f25508bf1afda77068376b2ff8418e18a089bf2dfa31df58bf3428eb8b5477
SHA512

f7eafc05d247e6046b04b45f7e11535493b88e11048a4ded1102e27fb26ba7f1e52340353341935cd42e2675a50a4a766141c1ab28aeb7fdd64adb01fb5a0cfc
SSDEEP

6144:C2WaaHuwcF+pZ+HpQ5wXJuKA7M8mt6RjGtEIjggHeyvMH:C7hHVLCHbX3AsYRjGtLggHeyvMH

Score

10^/10

warzonerat execution infostealer persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

0186ebe5d9283ebf5468d6e6aa43ad07_JaffaCakes118.exe

Resource

win7-20240221-en

warzonerat infostealer rat

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

0186ebe5d9283ebf5468d6e6aa43ad07_JaffaCakes118.exe

Resource

win10v2004-20240508-en

warzonerat execution infostealer persistence rat

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

binancino.hopto.org:5200

Targets

- Target
  
  0186ebe5d9283ebf5468d6e6aa43ad07_JaffaCakes118
- Size
  
  297KB
- MD5
  
  0186ebe5d9283ebf5468d6e6aa43ad07
- SHA1
  
  e64ea76a4c8aed4ff374814cfc912181ab159717
- SHA256
  
  a2f25508bf1afda77068376b2ff8418e18a089bf2dfa31df58bf3428eb8b5477
- SHA512
  
  f7eafc05d247e6046b04b45f7e11535493b88e11048a4ded1102e27fb26ba7f1e52340353341935cd42e2675a50a4a766141c1ab28aeb7fdd64adb01fb5a0cfc
- SSDEEP
  
  6144:C2WaaHuwcF+pZ+HpQ5wXJuKA7M8mt6RjGtEIjggHeyvMH:C7hHVLCHbX3AsYRjGtLggHeyvMH
Score

10^/10

warzonerat infostealer rat execution persistence
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Core1 .NET packer
  Detects packer/loader used by .NET malware.
- Warzone RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

warzoneratinfostealerrat

behavioral2

warzoneratexecutioninfostealerpersistencerat

© 2018-2024

Terms | Privacy