warzonerat | f9ff32eb145f7111b13b460898298ab8397e661cd62054458de93e318cfdd886 | Triage

Submit
Reports

Overview

overview

Static

static

f9ff32eb14...86.exe

windows7-x64

f9ff32eb14...86.exe

windows10-2004-x64

Sharing

General

Target

f9ff32eb145f7111b13b460898298ab8397e661cd62054458de93e318cfdd886
Size

1.8MB
Sample

240704-gk34nszcpd
MD5

796ce7f64abf748e4566d9f095bc2d35
SHA1

e13e0c6fa49e367519566f449245f15d36a898c4
SHA256

f9ff32eb145f7111b13b460898298ab8397e661cd62054458de93e318cfdd886
SHA512

cf8890690bcd342e7c89d9f77ca00bed91b7eb83f7eec70d39ffba267703c452c6a6f59f5c90f0c50477d56fee6b8abf63120e29165ed4231530f0ffb09b3135
SSDEEP

12288:p99Vbpgx4OuE+aCpBPY0PkI686WNUfWO6yuXzT5SPlSGN/A7W2FeDSIGVH/KIDgj:r1gg4CppEI6GGfWDkCQDbGV6eH81kE

Score

10^/10

warzonerat evasion infostealer persistence rat

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

f9ff32eb145f7111b13b460898298ab8397e661cd62054458de93e318cfdd886.exe

Resource

win7-20240611-en

warzonerat evasion infostealer persistence rat

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

f9ff32eb145f7111b13b460898298ab8397e661cd62054458de93e318cfdd886.exe

Resource

win10v2004-20240508-en

warzonerat evasion infostealer persistence rat

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  f9ff32eb145f7111b13b460898298ab8397e661cd62054458de93e318cfdd886
- Size
  
  1.8MB
- MD5
  
  796ce7f64abf748e4566d9f095bc2d35
- SHA1
  
  e13e0c6fa49e367519566f449245f15d36a898c4
- SHA256
  
  f9ff32eb145f7111b13b460898298ab8397e661cd62054458de93e318cfdd886
- SHA512
  
  cf8890690bcd342e7c89d9f77ca00bed91b7eb83f7eec70d39ffba267703c452c6a6f59f5c90f0c50477d56fee6b8abf63120e29165ed4231530f0ffb09b3135
- SSDEEP
  
  12288:p99Vbpgx4OuE+aCpBPY0PkI686WNUfWO6yuXzT5SPlSGN/A7W2FeDSIGVH/KIDgj:r1gg4CppEI6GGfWDkCQDbGV6eH81kE
Score

10^/10

warzonerat evasion infostealer persistence rat
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Active Setup

Defense Evasion

Modify Registry

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

warzoneratevasioninfostealerpersistencerat

behavioral2

warzoneratevasioninfostealerpersistencerat

© 2018-2024

Terms | Privacy