warzonerat | f92ef33594e2dea236dd194b6d1c78ba5ace8702e5fa02fc48462073e8d8c010 | Triage

Submit
Reports

Overview

overview

Static

static

#PO.098776...DF.exe

windows7-x64

#PO.098776...DF.exe

windows10-2004-x64

Sharing

General

Target

#PO.09877657890439888IpzJ3FEGdOMFjHn.PDF.exe
Size

755KB
Sample

221206-lh19hshc5x
MD5

c9b1ecfd1ec4a4ebd841f77ee0e74ca0
SHA1

54d8a155fbf50720ec99817a4e5dee29d021a0ed
SHA256

f92ef33594e2dea236dd194b6d1c78ba5ace8702e5fa02fc48462073e8d8c010
SHA512

a488ec12d8f90bee5f875b8cfb918b44bd41499545863b2c4da47963a2adccca3be3ffe05fd8412ee8db35520aa3686975b53c4fbce0aa245c12b21b6ef1f98d
SSDEEP

12288:gCCcihz6Y1jJ0DFVWV3vhXTtva75ntqiMahkg586aWHff:lCZlN8WBvhXTtw5n8pahB5O8f

Score

10^/10

warzonerat collection infostealer rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

#PO.09877657890439888IpzJ3FEGdOMFjHn.PDF.exe

Resource

win7-20220812-en

warzonerat collection infostealer rat spyware stealer

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

#PO.09877657890439888IpzJ3FEGdOMFjHn.PDF.exe

Resource

win10v2004-20220901-en

warzonerat collection infostealer rat spyware stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

37.0.14.207:70

Targets

- Target
  
  #PO.09877657890439888IpzJ3FEGdOMFjHn.PDF.exe
- Size
  
  755KB
- MD5
  
  c9b1ecfd1ec4a4ebd841f77ee0e74ca0
- SHA1
  
  54d8a155fbf50720ec99817a4e5dee29d021a0ed
- SHA256
  
  f92ef33594e2dea236dd194b6d1c78ba5ace8702e5fa02fc48462073e8d8c010
- SHA512
  
  a488ec12d8f90bee5f875b8cfb918b44bd41499545863b2c4da47963a2adccca3be3ffe05fd8412ee8db35520aa3686975b53c4fbce0aa245c12b21b6ef1f98d
- SSDEEP
  
  12288:gCCcihz6Y1jJ0DFVWV3vhXTtva75ntqiMahkg586aWHff:lCZlN8WBvhXTtw5n8pahB5O8f
Score

10^/10

warzonerat collection infostealer rat spyware stealer
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratcollectioninfostealerratspywarestealer

behavioral2

warzoneratcollectioninfostealerratspywarestealer

© 2018-2024

Terms | Privacy