warzonerat | fdd2aeecda3fe4a1fb61be1058ed53c337d79f7e2a8e1bde6a470f26f8995732 | Triage

Submit
Reports

Overview

overview

Static

static

FilesG_qdoNhHLK.exe

windows7_x64

FilesG_qdoNhHLK.exe

windows10_x64

Sharing

General

Target

FilesG_qdoNhHLK.exe
Size

435KB
Sample

220111-vx8rksgfhm
MD5

c0f6db6255fed464e6e7fd8add0206a4
SHA1

62277d7d6ee3d32c964f10cc423f4cbe6e98cb9e
SHA256

fdd2aeecda3fe4a1fb61be1058ed53c337d79f7e2a8e1bde6a470f26f8995732
SHA512

72cca39f503a112b03f7c7a9f840bc7294864662125090413d6cd27cac2aa66420fe55555778127ca5bc7a73fdb292680a4d580f07b586c974a03a8fd8ad3f73

Score

10^/10

warzonerat collection infostealer rat spyware stealer suricata

Static task

static1

Behavioral task

behavioral1

Sample

FilesG_qdoNhHLK.exe

Resource

win7-en-20211208

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

FilesG_qdoNhHLK.exe

Resource

win10-en-20211208

warzonerat collection infostealer rat spyware stealer suricata

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

warzonerat

C2

lionlee.nerdpol.ovh:5200

Targets

- Target
  
  FilesG_qdoNhHLK.exe
- Size
  
  435KB
- MD5
  
  c0f6db6255fed464e6e7fd8add0206a4
- SHA1
  
  62277d7d6ee3d32c964f10cc423f4cbe6e98cb9e
- SHA256
  
  fdd2aeecda3fe4a1fb61be1058ed53c337d79f7e2a8e1bde6a470f26f8995732
- SHA512
  
  72cca39f503a112b03f7c7a9f840bc7294864662125090413d6cd27cac2aa66420fe55555778127ca5bc7a73fdb292680a4d580f07b586c974a03a8fd8ad3f73
Score

10^/10

warzonerat collection infostealer rat spyware stealer suricata
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Warzone RAT Payload
  rat
- Downloads MZ/PE file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

warzoneratcollectioninfostealerratspywarestealersuricata

© 2018-2024

Terms | Privacy