warzonerat | 8bc2a80321c01b51ff4896895730ccda0b34f2a1cacc2bba849b4b208ff197d8 | Triage

Submit
Reports

Overview

overview

Static

static

1

Order to P...23.exe

windows7-x64

Order to P...23.exe

windows10-2004-x64

Resubmissions

06/02/2023, 11:08

230206-m8jmtsgh5w 10

06/02/2023, 11:04

230206-m6j6ksgh4w 10

Sharing

Copy URL Twitter E-mail

General

Target

Order to Purchase DOC_PO.20051011_060223.ace
Size

401KB
Sample

230206-m6j6ksgh4w
MD5

3de0367d8fd512ec8b4c62e67c6700c0
SHA1

39aa9a0ab59f3f93c24aa9c6e3a2b7200271a831
SHA256

8bc2a80321c01b51ff4896895730ccda0b34f2a1cacc2bba849b4b208ff197d8
SHA512

cfc2a5a692b445e7befa6b295179b416f2ca99b4e44235d359298f7acb418d47a907b037d3e5814da223d083af479ed56dd4209956c00a377961f39972544d0d
SSDEEP

12288:YaO/hw4kpKI/6MVAgJTezEyRm0slq+/MP1jcv23:YFwXpV/VVAgJWRshUPhe23

Score

10^/10

warzonerat evasion infostealer persistence rat upx

Static task

static1

Behavioral task

behavioral1

Sample

Order to Purchase DOC_PO.20051011_060223.exe

Resource

win7-20220812-en

warzonerat evasion infostealer persistence rat upx

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

Order to Purchase DOC_PO.20051011_060223.exe

Resource

win10v2004-20221111-en

warzonerat evasion infostealer persistence rat upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  Order to Purchase DOC_PO.20051011_060223.exe
- Size
  
  573KB
- MD5
  
  3c9f896424d6c80ff3429e77512c96fe
- SHA1
  
  1cd10b529b174402c709996d8ecad6b16f76b99e
- SHA256
  
  83876348a7bd641e0db5efdffda03efa8e7831ad2d6b28cd86cea8e687e4e767
- SHA512
  
  d5ee679a4a39d4061af2c65b98302fec0f245502cb84c510fb568fca226d40b2773dcc068cd2a13012fd04a61e9336ac8e82e8568b9b872b16f9d58e93385eb7
- SSDEEP
  
  6144:6CfoCKXgnHyTLQIIZyzukNo1DZh2GWWJz9vlGxE/Ee+bp5I3MGWc04YrDYeHTHya:6CQ5gnHbL8z2hb/jwk+F5IBRKYWTHaQ
Score

10^/10

warzonerat evasion infostealer persistence rat upx
- Modifies WinLogon for persistence
  persistence
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Modifies Windows Firewall
  evasion
- Sets DLL path for service in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratevasioninfostealerpersistenceratupx

behavioral2

warzoneratevasioninfostealerpersistenceratupx

© 2018-2025

Terms | Privacy