warzonerat | 959837140aee207e9fd845a030881f9430364d2df8088845f5828579420b1717 | Triage

Submit
Reports

Overview

overview

Static

static

Item Selec...ng.rtf

windows7-x64

Item Selec...ng.rtf

windows10-2004-x64

Sharing

General

Target

Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc
Size

216KB
Sample

220923-gx7bvsdcg6
MD5

9bc102ffb0930f5dee65bde8e0ba6d89
SHA1

37cac7507a6ad02a75d947a9bdfe115f2da8b71b
SHA256

959837140aee207e9fd845a030881f9430364d2df8088845f5828579420b1717
SHA512

acdb50e95c30e14b235a89ed4a86531a64c1c3246b3d65a116a80e64a6f9d061c7a2dc784b9942cf1beb5d7fbdd6302139347a490886386d54c0dc372404e0fd
SSDEEP

1536:9mDDRxjrfUG7NP0UlAD8KEmt09N/FUr1nvX+EEFZVzFz76mAg5eeVhMDw5wfLz:94F1lVzFtr5RDAw5wfP

Score

10^/10

warzonerat infostealer rat

Static task

static1

Behavioral task

behavioral1

Sample

Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.rtf

Resource

win7-20220812-en

warzonerat infostealer rat

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.rtf

Resource

win10v2004-20220812-en

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://login.929389.ankura.us/AwOgYiWG/explorer.exe

Extracted

Family

warzonerat

C2

20.126.95.155:7800

Targets

- Target
  
  Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc
- Size
  
  216KB
- MD5
  
  9bc102ffb0930f5dee65bde8e0ba6d89
- SHA1
  
  37cac7507a6ad02a75d947a9bdfe115f2da8b71b
- SHA256
  
  959837140aee207e9fd845a030881f9430364d2df8088845f5828579420b1717
- SHA512
  
  acdb50e95c30e14b235a89ed4a86531a64c1c3246b3d65a116a80e64a6f9d061c7a2dc784b9942cf1beb5d7fbdd6302139347a490886386d54c0dc372404e0fd
- SSDEEP
  
  1536:9mDDRxjrfUG7NP0UlAD8KEmt09N/FUr1nvX+EEFZVzFz76mAg5eeVhMDw5wfLz:94F1lVzFtr5RDAw5wfP
Score

10^/10

warzonerat infostealer rat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratinfostealerrat

behavioral2

© 2018-2024

Terms | Privacy