warzonerat | a58cf7753cdff434e81e0163ec97f8e1a8b32c80ddfa7cbf021778a759f78842 | Triage

Sharing

General

Target

Remit receipt.exe
Size

328KB
Sample

210524-yvj99d4g9e
MD5

9df3b36279313b95e818c90ba404e446
SHA1

b9fad9b9d00ac30a9c950110207971fff88a3f87
SHA256

a58cf7753cdff434e81e0163ec97f8e1a8b32c80ddfa7cbf021778a759f78842
SHA512

c3941e53c7d37ed424fcb7b61d44d418a00fa3911186575a17013cf85a2521325ce5b2b71bccb0ff22f45ff9ff330954e271838443f35bcf6ab31b8bcc81ba6f

Score

10^/10

warzonerat infostealer rat spyware stealer

Malware Config

Extracted

Family

warzonerat

C2

195.133.40.109:5200

Targets

- Target
  
  Remit receipt.exe
- Size
  
  328KB
- MD5
  
  9df3b36279313b95e818c90ba404e446
- SHA1
  
  b9fad9b9d00ac30a9c950110207971fff88a3f87
- SHA256
  
  a58cf7753cdff434e81e0163ec97f8e1a8b32c80ddfa7cbf021778a759f78842
- SHA512
  
  c3941e53c7d37ed424fcb7b61d44d418a00fa3911186575a17013cf85a2521325ce5b2b71bccb0ff22f45ff9ff330954e271838443f35bcf6ab31b8bcc81ba6f
Score

10^/10

warzonerat infostealer rat spyware stealer
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratinfostealerratspywarestealer

behavioral2