warzonerat | 2c63b4926ec8ca28ade534c72cf11a63db6f55882d08a1f97575e88986209838 | Triage

Submit
Reports

Overview

overview

Static

static

91054318.exe

windows7-x64

91054318.exe

windows10-2004-x64

Sharing

General

Target

91054318.exe
Size

967KB
Sample

221003-hr3bdsdghk
MD5

dfc8fe939a5c394155c499b3e19e9ff1
SHA1

e95fa2f0df08602e9f6facdb7bc29534009d1097
SHA256

2c63b4926ec8ca28ade534c72cf11a63db6f55882d08a1f97575e88986209838
SHA512

4b7dfa930e150f1308656ccf6543d98b3f7f707f1d684a354220dcd81719917f3399a51777cf4b79b2588568bae8d62f094d21bcd8c24446b9114e1945be7585
SSDEEP

12288:zTSdH+44q6dT7XUQAWqrbwrvId4UIMYLF2wixc0Nq6JgpVXM/mjNtRGKi:HYv4HEQAWFIzLYLF2JG+qyj/wRGKi

Score

10^/10

warzonerat collection infostealer rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

91054318.exe

Resource

win7-20220812-en

warzonerat infostealer rat

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

91054318.exe

Resource

win10v2004-20220812-en

warzonerat collection infostealer rat spyware stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

willia2.ddns.net:4120

Targets

- Target
  
  91054318.exe
- Size
  
  967KB
- MD5
  
  dfc8fe939a5c394155c499b3e19e9ff1
- SHA1
  
  e95fa2f0df08602e9f6facdb7bc29534009d1097
- SHA256
  
  2c63b4926ec8ca28ade534c72cf11a63db6f55882d08a1f97575e88986209838
- SHA512
  
  4b7dfa930e150f1308656ccf6543d98b3f7f707f1d684a354220dcd81719917f3399a51777cf4b79b2588568bae8d62f094d21bcd8c24446b9114e1945be7585
- SSDEEP
  
  12288:zTSdH+44q6dT7XUQAWqrbwrvId4UIMYLF2wixc0Nq6JgpVXM/mjNtRGKi:HYv4HEQAWFIzLYLF2JG+qyj/wRGKi
Score

10^/10

warzonerat infostealer rat collection spyware stealer
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratinfostealerrat

behavioral2

warzoneratcollectioninfostealerratspywarestealer

© 2018-2024

Terms | Privacy