warzonerat | ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b | Triage

Submit
Reports

Overview

overview

Static

static

1

53622e6177...49.exe

windows7-x64

53622e6177...49.exe

windows10-2004-x64

Sharing

General

Target

53622e61772d39cd6868b89aaabb8249.exe
Size

193KB
Sample

230327-nckqpafc6x
MD5

53622e61772d39cd6868b89aaabb8249
SHA1

97d7be3cbfc038c741d0a0ba0404c147eb2d9b1b
SHA256

ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b
SHA512

1e254e3913f2bcd985d96123e8e2f08271f9f1e081a5c39d14afcfc6a1513c76139f980bd25d575845ca85ab2e14881042524a52314321f398558cdb30583d95
SSDEEP

6144:QkdnyRSXGwbtZt2hP4hY9eII6cuH58KCNRJynB:Q3SXt5E4hoeEdmV+

Score

10^/10

warzonerat collection infostealer persistence rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

53622e61772d39cd6868b89aaabb8249.exe

Resource

win7-20230220-en

warzonerat collection infostealer persistence rat spyware stealer

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

53622e61772d39cd6868b89aaabb8249.exe

Resource

win10v2004-20230220-en

warzonerat infostealer persistence rat

windows10-2004-x64

7 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

46.183.222.62:5353

Targets

- Target
  
  53622e61772d39cd6868b89aaabb8249.exe
- Size
  
  193KB
- MD5
  
  53622e61772d39cd6868b89aaabb8249
- SHA1
  
  97d7be3cbfc038c741d0a0ba0404c147eb2d9b1b
- SHA256
  
  ac48e7fdd258315b54625d2c9cc84d555d44b1a82c4e834238500f32d088d58b
- SHA512
  
  1e254e3913f2bcd985d96123e8e2f08271f9f1e081a5c39d14afcfc6a1513c76139f980bd25d575845ca85ab2e14881042524a52314321f398558cdb30583d95
- SSDEEP
  
  6144:QkdnyRSXGwbtZt2hP4hY9eII6cuH58KCNRJynB:Q3SXt5E4hoeEdmV+
Score

10^/10

warzonerat collection infostealer persistence rat spyware stealer
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratcollectioninfostealerpersistenceratspywarestealer

behavioral2

warzoneratinfostealerpersistencerat

© 2018-2024

Terms | Privacy