warzonerat | b42e067f18f4cea6ab3982664c78da81b57d8949f71898d77eacc13e61bfc317 | Triage

Submit
Reports

Overview

overview

Static

static

b42e067f18...17.exe

windows7-x64

b42e067f18...17.exe

windows10-2004-x64

Sharing

General

Target

b42e067f18f4cea6ab3982664c78da81b57d8949f71898d77eacc13e61bfc317
Size

2.8MB
Sample

221125-lvb56ace3v
MD5

8118c2856c90a0668d8e1d2f8f96ca3f
SHA1

53dafa742d3dec42ebea51c1d6d643c7b15c788c
SHA256

b42e067f18f4cea6ab3982664c78da81b57d8949f71898d77eacc13e61bfc317
SHA512

984f1ee6ee8d17bf6ed3e7da01261ba3e7817b86ca6f9e7fdfc40e0a4a93a4d579bff4db1d0d63320b4a1ba70efb78de4001487287742def9f7e99fdbf3a199a
SSDEEP

3072:a4ulmi682JhXH8A765qPP6I8AD5Ul7ePzjPKCblLCdC1TcIFr33QxB4KU5YGdOrt:Nu92JhXH8Q65qPP6I8AD5Ul7Cl

Score

10^/10

warzonerat infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

b42e067f18f4cea6ab3982664c78da81b57d8949f71898d77eacc13e61bfc317.exe

Resource

win7-20220901-en

warzonerat infostealer persistence rat

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

b42e067f18f4cea6ab3982664c78da81b57d8949f71898d77eacc13e61bfc317.exe

Resource

win10v2004-20220812-en

warzonerat infostealer persistence rat

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

msdos.treatwellshome.xyz:5200

Targets

- Target
  
  b42e067f18f4cea6ab3982664c78da81b57d8949f71898d77eacc13e61bfc317
- Size
  
  2.8MB
- MD5
  
  8118c2856c90a0668d8e1d2f8f96ca3f
- SHA1
  
  53dafa742d3dec42ebea51c1d6d643c7b15c788c
- SHA256
  
  b42e067f18f4cea6ab3982664c78da81b57d8949f71898d77eacc13e61bfc317
- SHA512
  
  984f1ee6ee8d17bf6ed3e7da01261ba3e7817b86ca6f9e7fdfc40e0a4a93a4d579bff4db1d0d63320b4a1ba70efb78de4001487287742def9f7e99fdbf3a199a
- SSDEEP
  
  3072:a4ulmi682JhXH8A765qPP6I8AD5Ul7ePzjPKCblLCdC1TcIFr33QxB4KU5YGdOrt:Nu92JhXH8Q65qPP6I8AD5Ul7Cl
Score

10^/10

warzonerat infostealer persistence rat
- Modifies WinLogon for persistence
  persistence
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratinfostealerpersistencerat

behavioral2

warzoneratinfostealerpersistencerat

© 2018-2024

Terms | Privacy