warzonerat | 9cd417da68471226ae74dfdcb89a506d591b50561be9f596f894178adc0d366e | Triage

Submit
Reports

Overview

overview

Static

static

New suppli...OC.exe

windows7_x64

New suppli...OC.exe

windows10-2004_x64

Sharing

General

Target

9cd417da68471226ae74dfdcb89a506d591b50561be9f596f894178adc0d366e
Size

357KB
Sample

220521-cxh7tahfhn
MD5

51c45fd730a27394da19cfe296e6cb3b
SHA1

db5227839f3eacff1209b2cafff3a99e3f7af01a
SHA256

9cd417da68471226ae74dfdcb89a506d591b50561be9f596f894178adc0d366e
SHA512

e6300f02dae7c973eea079417958a9b1669eef7216e35d23badbb613756a59f101a449a03bd46924ba90355d20c5f294936b0c1a8f9e5eb857357a6420881b44

Score

10^/10

warzonerat evasion infostealer rat

Static task

static1

Behavioral task

behavioral1

Sample

New supplier Inquiry and PO 208202750_ DOC.exe

Resource

win7-20220414-en

warzonerat evasion infostealer rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

New supplier Inquiry and PO 208202750_ DOC.exe

Resource

win10v2004-20220414-en

warzonerat evasion infostealer rat

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

warzonerat

C2

divy.nerdpol.ovh:5200

Targets

- Target
  
  New supplier Inquiry and PO 208202750_ DOC.exe
- Size
  
  421KB
- MD5
  
  c8cc1aa9f0824c83a98cf9072d0079cb
- SHA1
  
  61c95c346b2c07d5a7ac2bb1d30745903a3ad99b
- SHA256
  
  25bd8be2689477443c6a6b89c3195bd81b733853aa4502cfd14a6e25afc3798e
- SHA512
  
  74e30df757e59db8f67a09fbaec4a47ccfe3cf9cb9ecc7244517e5e9a3b71373ea2dd3f8977490b3437a62c6b4f991d9053cf5a7492e34960a148486614443e3
Score

10^/10

warzonerat evasion infostealer rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Warzone RAT Payload
  rat
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratevasioninfostealerrat

behavioral2

warzoneratevasioninfostealerrat

© 2018-2024

Terms | Privacy