warzonerat | 1a0353868f82c688e13b205719e1cdde7a05c018662d364ea05df8038534aebc | Triage

Sharing

General

Target

UPS 1Z1E31080372565980.cmd.exe
Size

928KB
Sample

221108-s1ydxafggr
MD5

eaf8556f373e47066026977ae8924a02
SHA1

1e9e4bd736398e64391db945aead5d41b71bbc42
SHA256

1a0353868f82c688e13b205719e1cdde7a05c018662d364ea05df8038534aebc
SHA512

1bb4798fd0e6d901a4bd8ccbd17f30f70f73f4ebe2a06c3dde1fcc49180859a8b27e350e6dfab8ea98f7c31dd3c48293faa4897525105acdc983a71b50f7ff29
SSDEEP

12288:cmTb4ScxQiE2iNzpqAwtjgLvk+jrasr4CxBHE2NybtQGJm8V01:Hf+E1SAwFgLvr94UX4BQG88O

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

pastorcc.duckdns.org:2223

Targets

- Target
  
  UPS 1Z1E31080372565980.cmd.exe
- Size
  
  928KB
- MD5
  
  eaf8556f373e47066026977ae8924a02
- SHA1
  
  1e9e4bd736398e64391db945aead5d41b71bbc42
- SHA256
  
  1a0353868f82c688e13b205719e1cdde7a05c018662d364ea05df8038534aebc
- SHA512
  
  1bb4798fd0e6d901a4bd8ccbd17f30f70f73f4ebe2a06c3dde1fcc49180859a8b27e350e6dfab8ea98f7c31dd3c48293faa4897525105acdc983a71b50f7ff29
- SSDEEP
  
  12288:cmTb4ScxQiE2iNzpqAwtjgLvk+jrasr4CxBHE2NybtQGJm8V01:Hf+E1SAwFgLvr94UX4BQG88O
Score

10^/10

warzonerat infostealer rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratinfostealerrat

behavioral2

warzoneratinfostealerrat