warzonerat | b4db0e78b3dc3b659c8c0c5802fbcef14d9876e51c26a14020ffee2575f5faee | Triage

Submit
Reports

Overview

overview

Static

static

T091902200...RU.exe

windows7-x64

T091902200...RU.exe

windows10-2004-x64

Sharing

General

Target

T0919022001 - MARVA SAC PERU.exe
Size

1.4MB
Sample

221121-nglhsagc94
MD5

b0e47e09e21671c7ca51f98278d81a15
SHA1

22d4981d70b9c4a9e8a2aefc0ed80045f2f20199
SHA256

b4db0e78b3dc3b659c8c0c5802fbcef14d9876e51c26a14020ffee2575f5faee
SHA512

a7fbb2ef381cbabd1a50958249dff60ecef13fb070785a98402bd66ba3ca121851cc92edbd862d59f883b7190026bc374c94bc15273766d1e536f0f7d75cb76c
SSDEEP

24576:RafCpuXTIOqdOADap8G+ccojpzXZ386feVjN+Z+4vo:XuUfdOADa7+ccoFX+jRH

Score

10^/10

warzonerat collection infostealer persistence rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

T0919022001 - MARVA SAC PERU.exe

Resource

win7-20220812-en

warzonerat collection infostealer persistence rat spyware stealer

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

T0919022001 - MARVA SAC PERU.exe

Resource

win10v2004-20220812-en

warzonerat collection infostealer persistence rat spyware stealer

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  T0919022001 - MARVA SAC PERU.exe
- Size
  
  1.4MB
- MD5
  
  b0e47e09e21671c7ca51f98278d81a15
- SHA1
  
  22d4981d70b9c4a9e8a2aefc0ed80045f2f20199
- SHA256
  
  b4db0e78b3dc3b659c8c0c5802fbcef14d9876e51c26a14020ffee2575f5faee
- SHA512
  
  a7fbb2ef381cbabd1a50958249dff60ecef13fb070785a98402bd66ba3ca121851cc92edbd862d59f883b7190026bc374c94bc15273766d1e536f0f7d75cb76c
- SSDEEP
  
  24576:RafCpuXTIOqdOADap8G+ccojpzXZ386feVjN+Z+4vo:XuUfdOADa7+ccoFX+jRH
Score

10^/10

warzonerat collection infostealer persistence rat spyware stealer
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratcollectioninfostealerpersistenceratspywarestealer

behavioral2

warzoneratcollectioninfostealerpersistenceratspywarestealer

© 2018-2024

Terms | Privacy