warzonerat | 7e0cfcc29e5cfaa2e149018b35bd3776fae867467ae2b91c65f7c873bf8f9a8a | Triage

Submit
Reports

Overview

overview

Static

static

Equipment'...ic.exe

windows7-x64

Equipment'...ic.exe

windows10-2004-x64

Sharing

General

Target

Equipment's A107 Prime Power Logistic.exe
Size

1.0MB
Sample

221109-ggvywsfghj
MD5

0ddbb8eedaca75c0acb0a034e1eae063
SHA1

93501b2d5019dcc2aa56c3e7bce76da4970b61ef
SHA256

7e0cfcc29e5cfaa2e149018b35bd3776fae867467ae2b91c65f7c873bf8f9a8a
SHA512

4135facb244dce9c18bd64c736cba8105001982bc309dc3dfb03cbdd1e079d8fcdb25fc9d50c425ba43ae3772848ec25b06dc1b6a5016ea45da53d4809fa3b9d
SSDEEP

24576:rAOcZGRABC2nDlqRpNFkHTr+Mo5pemHI0Yuyq3:t4DQR2xo5EmHWq3

Score

10^/10

warzonerat collection infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

Equipment's A107 Prime Power Logistic.exe

Resource

win7-20220901-en

warzonerat collection infostealer persistence rat

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

Equipment's A107 Prime Power Logistic.exe

Resource

win10v2004-20220812-en

warzonerat collection infostealer persistence rat

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

chexfotii.ddns.net:4545

Targets

- Target
  
  Equipment's A107 Prime Power Logistic.exe
- Size
  
  1.0MB
- MD5
  
  0ddbb8eedaca75c0acb0a034e1eae063
- SHA1
  
  93501b2d5019dcc2aa56c3e7bce76da4970b61ef
- SHA256
  
  7e0cfcc29e5cfaa2e149018b35bd3776fae867467ae2b91c65f7c873bf8f9a8a
- SHA512
  
  4135facb244dce9c18bd64c736cba8105001982bc309dc3dfb03cbdd1e079d8fcdb25fc9d50c425ba43ae3772848ec25b06dc1b6a5016ea45da53d4809fa3b9d
- SSDEEP
  
  24576:rAOcZGRABC2nDlqRpNFkHTr+Mo5pemHI0Yuyq3:t4DQR2xo5EmHWq3
Score

10^/10

warzonerat collection infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratcollectioninfostealerpersistencerat

behavioral2

warzoneratcollectioninfostealerpersistencerat

© 2018-2024

Terms | Privacy