warzonerat | d802dfdd113620634a88afe2ae7de17eed8200b0e81248b741bcf46d780844a7 | Triage

Submit
Reports

Overview

overview

Static

static

1

5a39f9dbd5...60.exe

windows7-x64

5a39f9dbd5...60.exe

windows10-2004-x64

Sharing

General

Target

5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.zip
Size

164KB
Sample

230321-rv4hasda7x
MD5

9a8e882c93760422ec02263acdbb78c4
SHA1

f0634c77a3ae1206fecae9d285224c7bb95d32bf
SHA256

d802dfdd113620634a88afe2ae7de17eed8200b0e81248b741bcf46d780844a7
SHA512

5ad6243447abcc4b2c4e1d14076989260521cb7cd6e44447fe595565b9a6fa592c04afeb69f52e34f64ebf5b7bc3ec91a36d43c49d2eb4d16567d5f04ce56e94
SSDEEP

3072:R8VS6cW0aOKy/5W2ZqUOoEkQFd2X8DLqXJsasy1Y9mLW9KCa:Rr64Ky/wmOoEkmqX11bL2a

Score

10^/10

warzonerat collection infostealer persistence rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exe

Resource

win7-20230220-en

warzonerat collection infostealer persistence rat spyware stealer

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exe

Resource

win10v2004-20230220-en

warzonerat collection infostealer persistence rat spyware stealer

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

macking.duckdns.org:1104

Targets

- Target
  
  5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260.exe
- Size
  
  202KB
- MD5
  
  05ca94d88d462bef2458ec93ed42df23
- SHA1
  
  bc749bbfef60caac3ae0a3b6324767532c9e43dd
- SHA256
  
  5a39f9dbd5c6cee8dce9d113c484d794045d72f3258e1959d34c14e673803260
- SHA512
  
  b88729322928ce573c93cfdee9979bea525902fa71c96c5f43ca2370ca3d841b4708e89b5205a4404dc9af36526e5ca8b719d08c1bfc663358b799e492efa923
- SSDEEP
  
  3072:2fY/TU9fE9PEtu9brXRHwio/QbIFBo93nmpeBTJ1N+Mmc/8CWbqQZU8hbpUVS:gYa6TrFH3kE92pe9Jx/ZWbqunhKVS
Score

10^/10

warzonerat collection infostealer persistence rat spyware stealer
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratcollectioninfostealerpersistenceratspywarestealer

behavioral2

warzoneratcollectioninfostealerpersistenceratspywarestealer

© 2018-2024

Terms | Privacy