warzonerat | 09e6fb6d40e80ed9ec9fa9e7a5ccb5b1ab3a394e5057c0eed89ba83079244133 | Triage

Submit
Reports

Overview

overview

Static

static

1

f5e9af8a84...3b.exe

windows7-x64

f5e9af8a84...3b.exe

windows10-2004-x64

Sharing

General

Target

f5e9af8a842e3d0ab3b48e83151a43a1514ed4f8772da1819d27558b62901b3b.zip
Size

470KB
Sample

230321-qpmrxsce7s
MD5

d9f0f7b3e654be29deba3120eac66e5b
SHA1

4b71c898eb3affd1f15232ee5e9c79e6560dabab
SHA256

09e6fb6d40e80ed9ec9fa9e7a5ccb5b1ab3a394e5057c0eed89ba83079244133
SHA512

f9f857541c3b33e7759c4b8b513a928123efd45501a90db513020b3ea0d0d9dad4460cb5e44655db6cd776a2e68b82ef46a749c5d41689a333560e2d75e31e00
SSDEEP

12288:9eBIVGz7f7mv3fGu1xaI9FIDVjc2aygcS10vbqr:9dwfCxMQ+jce9u0vbqr

Score

10^/10

warzonerat infostealer rat

Static task

static1

Behavioral task

behavioral1

Sample

f5e9af8a842e3d0ab3b48e83151a43a1514ed4f8772da1819d27558b62901b3b.exe

Resource

win7-20230220-en

warzonerat infostealer rat

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

f5e9af8a842e3d0ab3b48e83151a43a1514ed4f8772da1819d27558b62901b3b.exe

Resource

win10v2004-20230220-en

warzonerat infostealer rat

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

154.16.106.40:4441

Targets

- Target
  
  f5e9af8a842e3d0ab3b48e83151a43a1514ed4f8772da1819d27558b62901b3b.exe
- Size
  
  579KB
- MD5
  
  6ca65058e490b038710bd1e2ac8cb457
- SHA1
  
  c66ea296401994d1d352b2795b70dd38f7eb4f88
- SHA256
  
  f5e9af8a842e3d0ab3b48e83151a43a1514ed4f8772da1819d27558b62901b3b
- SHA512
  
  f3f473a6e7335b39cdd212ce287070e2f092cc550bd836ca66808b3483ef48c6152ad41a5f9a120c22c268af3960768b6fb7e03a8861bf444052c7cf1476229f
- SSDEEP
  
  12288:sctmABdVLhcA9D/4BjCAYEKRkx/yX0chSSuPA:sqdpkBtqoaXLMS+
Score

10^/10

warzonerat infostealer rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratinfostealerrat

behavioral2

warzoneratinfostealerrat

© 2018-2024

Terms | Privacy