warzonerat | 8757c5b86ad6d98c723473fd79bae3349b3c308da3ba8cf7c0fa8696e3d69d3a | Triage

Submit
Reports

Overview

overview

Static

static

Quotation-...74.exe

windows7_x64

Quotation-...74.exe

windows10-2004_x64

Sharing

General

Target

8757c5b86ad6d98c723473fd79bae3349b3c308da3ba8cf7c0fa8696e3d69d3a
Size

143KB
Sample

220521-b1sd8afhcm
MD5

fbe29d660cb9c98b7844b7510565cedc
SHA1

e40aa11a8e098a84b982e436b34158955fc60943
SHA256

8757c5b86ad6d98c723473fd79bae3349b3c308da3ba8cf7c0fa8696e3d69d3a
SHA512

9c83428b740a22e64029db0c5bb032927c239ca426ec5f7a2a1440f37b9ef3892d263b2c8eac91e3c1234d52cf3f6dd5044e1d65cca073030fc3ca324dc4c787

Score

10^/10

warzonerat evasion infostealer rat

Static task

static1

Behavioral task

behavioral1

Sample

Quotation-937847836-178474.exe

Resource

win7-20220414-en

warzonerat evasion infostealer rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Quotation-937847836-178474.exe

Resource

win10v2004-20220414-en

warzonerat evasion infostealer rat

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

warzonerat

C2

newzone.from-ne.com:3200

Targets

- Target
  
  Quotation-937847836-178474.exe
- Size
  
  188KB
- MD5
  
  bbc4ffcf3ffdd24fda14f1d234966e33
- SHA1
  
  9d4d3b412493806601fa61492d0b58f06bce3ee1
- SHA256
  
  4a1f7dc3d33366c303e8fb2c7c44d4929d5898f219bcf952bafba336b8056e91
- SHA512
  
  f1e33bee03ddaaee6682b351a522ea3a8759b324a1aefeb885ae5407d78b18053f21336d247cb1b9ddbb7c0d2b00c85c44165c04b47191650812913850d46f3b
Score

10^/10

warzonerat evasion infostealer rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Warzone RAT Payload
  rat
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratevasioninfostealerrat

behavioral2

warzoneratevasioninfostealerrat

© 2018-2024

Terms | Privacy