warzonerat | abb0a038d3f1c7c5ea61cdd46e797e1862e5f70d1382d58d59e5404b705bca08 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

9e4b8dd501...9c.exe

windows7-x64

9e4b8dd501...9c.exe

windows10-2004-x64

Sharing

General

Target

9e4b8dd5015ff503c145d5d110c0899c.exe
Size

717KB
Sample

230326-1t3ztaab69
MD5

9e4b8dd5015ff503c145d5d110c0899c
SHA1

fc17f01106a589943ea2937de4dbd68f5de50cb1
SHA256

abb0a038d3f1c7c5ea61cdd46e797e1862e5f70d1382d58d59e5404b705bca08
SHA512

a3eac22d9935f8d9d421ecd68648eeeaa08a97ed9ec904a851a271dd0fdc0bd236a4b58823f6d7c4c9e7d4ce721678ee2bca60e223406da450d3af5b51b4d2fc
SSDEEP

12288:dIteEGAFDh24NS8Y7GrRybCC4h2M6lavptrnpoZa+fuFtUN4Hhzsc:BIY7GrRy74h8avbrUa+ItPic

Score

10^/10

warzonerat collection infostealer persistence rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

9e4b8dd5015ff503c145d5d110c0899c.exe

Resource

win7-20230220-en

warzonerat collection infostealer persistence rat spyware stealer

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

9e4b8dd5015ff503c145d5d110c0899c.exe

Resource

win10v2004-20230220-en

warzonerat collection infostealer persistence rat spyware stealer

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

84.38.133.19:5200

Targets

- Target
  
  9e4b8dd5015ff503c145d5d110c0899c.exe
- Size
  
  717KB
- MD5
  
  9e4b8dd5015ff503c145d5d110c0899c
- SHA1
  
  fc17f01106a589943ea2937de4dbd68f5de50cb1
- SHA256
  
  abb0a038d3f1c7c5ea61cdd46e797e1862e5f70d1382d58d59e5404b705bca08
- SHA512
  
  a3eac22d9935f8d9d421ecd68648eeeaa08a97ed9ec904a851a271dd0fdc0bd236a4b58823f6d7c4c9e7d4ce721678ee2bca60e223406da450d3af5b51b4d2fc
- SSDEEP
  
  12288:dIteEGAFDh24NS8Y7GrRybCC4h2M6lavptrnpoZa+fuFtUN4Hhzsc:BIY7GrRy74h8avbrUa+ItPic
Score

10^/10

warzonerat collection infostealer persistence rat spyware stealer
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratcollectioninfostealerpersistenceratspywarestealer

behavioral2

warzoneratcollectioninfostealerpersistenceratspywarestealer

© 2018-2025

Terms | Privacy