warzonerat | 0fba4fd5ff2a688d0c0c0597c84436a5adcff4c2e5396057962a121af79ad382 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3186f04f55...b9.xll

windows7-x64

7

3186f04f55...b9.xll

windows10-2004-x64

Sharing

General

Target

8231936381.zip
Size

483KB
Sample

221018-z4v7aadge7
MD5

435ee7dd0c4b134392ce7ce30d71dd6a
SHA1

6182ca4c0cf3aeb8c562fe3270cabbd85e45ec87
SHA256

0fba4fd5ff2a688d0c0c0597c84436a5adcff4c2e5396057962a121af79ad382
SHA512

ecb7fb5ec48c0560f6cdcfa9d227d55e34778e72ff695a68bb7e3ea8a24e41ce1f5bc18ae99076893eff66ddb4ad8704e77449623b06a711d90459adb41b8970
SSDEEP

12288:xzrj51lxjJLkaDBgfdrnrLLQmU1+IxuKWUpFoqsw:xPnj9k/1rnPLQmzIoZqp

Score

10^/10

warzonerat infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

3186f04f5598615272f7dcb18de5c852ba5629e8c7a381cd1630b8246ea6aab9.xll

Resource

win7-20220812-en

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

3186f04f5598615272f7dcb18de5c852ba5629e8c7a381cd1630b8246ea6aab9.xll

Resource

win10v2004-20220901-en

warzonerat infostealer persistence rat

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

warzonerat

C2

windnsch.freeddns.org:5200

Targets

- Target
  
  3186f04f5598615272f7dcb18de5c852ba5629e8c7a381cd1630b8246ea6aab9
- Size
  
  2.1MB
- MD5
  
  a97f17d7e510b0d4ec4001117a6841f1
- SHA1
  
  eb1d1ea6719cdce7888de2a92661d070867667d5
- SHA256
  
  3186f04f5598615272f7dcb18de5c852ba5629e8c7a381cd1630b8246ea6aab9
- SHA512
  
  d3941e83a3ef974c621aeef4cb4b9611e9a6a6527217ea0af6e69d0de97b877743c33ca3ec73d6d7718b8bf5033dbe190fb75a7883ceafc0d22429e94b082df4
- SSDEEP
  
  12288:BS7bj8jdxOe8bzbBSref+HvqABx5vLuW4x:B68aX1QiAr5aW4x
Score

10^/10

warzonerat infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Downloads MZ/PE file
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

warzoneratinfostealerpersistencerat

© 2018-2025

Terms | Privacy