warzonerat | a4137b1d2336f03a59fcfc3f9273e75d1b2ba18e547b17cc50d894d67b960eb5 | Triage

Submit
Reports

Overview

overview

Static

static

1

Purchase O...df.scr

windows7-x64

Purchase O...df.scr

windows10-2004-x64

Sharing

General

Target

Purchase Order-20230315 & Leaflets_1.IMG
Size

2.2MB
Sample

230317-jtrs4sha7t
MD5

a10a585ec78b5c769f5dca2ed052525e
SHA1

479ce29d88dd108bcadd5b84768633fe768a45d0
SHA256

a4137b1d2336f03a59fcfc3f9273e75d1b2ba18e547b17cc50d894d67b960eb5
SHA512

efa0dee2bfa91682912f5b8f3af94f220a0e4fee08feb306df4cea12ff0e344179f76535b9146d464893fb12a78f6ee53b1f7b032e0c6e6ff93056db07803951
SSDEEP

24576:gKJ4Bu9Ot09OX7l348A5NyTrgrXBebbxwB0BGpUnYAHyOkBuuotyo+u9N8Esj6tE:6ocbOab1r8EsWLqO357

Score

10^/10

warzonerat collection infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

Purchase Order-20230315-pdf.scr

Resource

win7-20230220-en

warzonerat collection infostealer persistence rat

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

Purchase Order-20230315-pdf.scr

Resource

win10v2004-20230220-en

warzonerat collection infostealer persistence rat

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

146.70.94.3:17873

Targets

- Target
  
  Purchase Order-20230315-pdf.scr
- Size
  
  2.2MB
- MD5
  
  04c554539eb31dfe2bae23a9975b6e0d
- SHA1
  
  b8e0182dff17942e859259c507414029cb00a2f8
- SHA256
  
  125d12ade3da14ef13cd2a6408692edd8067baefa8a2b375a03c4fad6368fd39
- SHA512
  
  2e145b69e03eae0ad5935b9a8d9a0030e870ed79eaeb29a15f330ce9c938389599e796e817503f1db99e078cc4cd2b971e2e65581da3bb6988369c8ac0f74721
- SSDEEP
  
  24576:PKJ4Bu9Ot09OX7l348A5NyTrgrXBebbxwB0BGpUnYAHyOkBuuotyo+u9N8Esj6tE:RocbOab1r8EsWLqO357
Score

10^/10

warzonerat collection infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratcollectioninfostealerpersistencerat

behavioral2

warzoneratcollectioninfostealerpersistencerat

© 2018-2024

Terms | Privacy