warzonerat | 69d962a08c69bee560dae12bf7209a36a8a919bef0b65bf8277c823a5c4e1fd8 | Triage

Submit
Reports

Overview

overview

Static

static

94c7dc9f9d...05.exe

windows7-x64

94c7dc9f9d...05.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

94c7dc9f9d87abdcd8914c66caa72405.exe
Size

258KB
Sample

230106-zaqdyabg47
MD5

94c7dc9f9d87abdcd8914c66caa72405
SHA1

f7ca918331bbd0d6bd05c21979b0fa4f2fe1e0fb
SHA256

69d962a08c69bee560dae12bf7209a36a8a919bef0b65bf8277c823a5c4e1fd8
SHA512

d3fb24c05f1e4df7a535919431042ce2309d83d521a69c67a82c15a2504109b3c20d821b4e67eb7f9f5b82e8d928982349519c1e5dfc65e367ea33712ee5f6dc
SSDEEP

3072:EfY/TU9fE9PEtuDbm5jjwHnSEVrvz5r67A3YfmSFkqff4CdhhM76YCoAhwZfBu9a:SYa694fKnSSrr5rkN3bW7dL3u9KARNK

Score

10^/10

warzonerat infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

94c7dc9f9d87abdcd8914c66caa72405.exe

Resource

win7-20220812-en

warzonerat infostealer persistence rat

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

94c7dc9f9d87abdcd8914c66caa72405.exe

Resource

win10v2004-20220812-en

warzonerat infostealer persistence rat

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

bluemoon7.duckdns.org:2023

Targets

- Target
  
  94c7dc9f9d87abdcd8914c66caa72405.exe
- Size
  
  258KB
- MD5
  
  94c7dc9f9d87abdcd8914c66caa72405
- SHA1
  
  f7ca918331bbd0d6bd05c21979b0fa4f2fe1e0fb
- SHA256
  
  69d962a08c69bee560dae12bf7209a36a8a919bef0b65bf8277c823a5c4e1fd8
- SHA512
  
  d3fb24c05f1e4df7a535919431042ce2309d83d521a69c67a82c15a2504109b3c20d821b4e67eb7f9f5b82e8d928982349519c1e5dfc65e367ea33712ee5f6dc
- SSDEEP
  
  3072:EfY/TU9fE9PEtuDbm5jjwHnSEVrvz5r67A3YfmSFkqff4CdhhM76YCoAhwZfBu9a:SYa694fKnSSrr5rkN3bW7dL3u9KARNK
Score

10^/10

warzonerat infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratinfostealerpersistencerat

behavioral2

warzoneratinfostealerpersistencerat

© 2018-2025

Terms | Privacy