warzonerat | a72ff4b13f5202ef9baeadc24f27d69c3fcfbb5c2de54e0b5a79ec408f6d5aa4 | Triage

Submit
Reports

Overview

overview

Static

static

SecuriteIn...82.exe

windows7-x64

SecuriteIn...82.exe

windows10-2004-x64

Sharing

General

Target

SecuriteInfo.com.Win32.PWSX-gen.22881.19782.exe
Size

519KB
Sample

221122-v2jm9abd36
MD5

6befe3992722dca19208c0f70b3619c8
SHA1

a5195c8079150b8f7656e3dbff4011770088f503
SHA256

a72ff4b13f5202ef9baeadc24f27d69c3fcfbb5c2de54e0b5a79ec408f6d5aa4
SHA512

31cd22a945d785a6b6ed1bec884bcf1f054da1dfdb38d7b228a042397584581253ce36f8ab3ee2044dc232401288fb1e462e77fec35600c051b5dfec847aaa31
SSDEEP

12288:2ZLABfUncbo42eKEHjC87rntsjPNXF3Z7iq7wjx:2ZLuUwo42e5TWjPNFlw

Score

10^/10

warzonerat collection infostealer persistence rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

SecuriteInfo.com.Win32.PWSX-gen.22881.19782.exe

Resource

win7-20221111-en

warzonerat infostealer persistence rat

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

SecuriteInfo.com.Win32.PWSX-gen.22881.19782.exe

Resource

win10v2004-20221111-en

warzonerat collection infostealer persistence rat spyware stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

fukfndru.ddns.net:2928

Targets

- Target
  
  SecuriteInfo.com.Win32.PWSX-gen.22881.19782.exe
- Size
  
  519KB
- MD5
  
  6befe3992722dca19208c0f70b3619c8
- SHA1
  
  a5195c8079150b8f7656e3dbff4011770088f503
- SHA256
  
  a72ff4b13f5202ef9baeadc24f27d69c3fcfbb5c2de54e0b5a79ec408f6d5aa4
- SHA512
  
  31cd22a945d785a6b6ed1bec884bcf1f054da1dfdb38d7b228a042397584581253ce36f8ab3ee2044dc232401288fb1e462e77fec35600c051b5dfec847aaa31
- SSDEEP
  
  12288:2ZLABfUncbo42eKEHjC87rntsjPNXF3Z7iq7wjx:2ZLuUwo42e5TWjPNFlw
Score

10^/10

warzonerat infostealer persistence rat collection spyware stealer
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratinfostealerpersistencerat

behavioral2

warzoneratcollectioninfostealerpersistenceratspywarestealer

© 2018-2024

Terms | Privacy