warzonerat | 64f2a6308c94b35be90cc1085538912c33956c06182756cd324f6874ae6c62f6 | Triage

Submit
Reports

Overview

overview

Static

static

1

64f2a6308c...f6.exe

windows7-x64

64f2a6308c...f6.exe

windows10-2004-x64

Sharing

General

Target

64f2a6308c94b35be90cc1085538912c33956c06182756cd324f6874ae6c62f6
Size

307KB
Sample

230404-p1q32seh89
MD5

71e44db97d7e1d350965103abab9f962
SHA1

f7c5db5f8c1e383cf62c41afa49c1f2dfabe0953
SHA256

64f2a6308c94b35be90cc1085538912c33956c06182756cd324f6874ae6c62f6
SHA512

0c3c296a495ecf45c0d31d0eb02fde8061d24f2dd75bed295dab74aab3ef2126e235abbdc6a4699661dacbab51fcf7d6fc19c63098002c4b6985131b170c1be0
SSDEEP

6144:BHfqDye3NCT8yGjm04y0O12udoEUA89bNM6InMI:FiCgD4wldEnM6InMI

Score

10^/10

warzonerat collection infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

64f2a6308c94b35be90cc1085538912c33956c06182756cd324f6874ae6c62f6.exe

Resource

win7-20230220-en

warzonerat collection infostealer persistence rat

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

64f2a6308c94b35be90cc1085538912c33956c06182756cd324f6874ae6c62f6.exe

Resource

win10v2004-20230221-en

warzonerat collection infostealer persistence rat

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

91.192.100.10:11011

Targets

- Target
  
  64f2a6308c94b35be90cc1085538912c33956c06182756cd324f6874ae6c62f6
- Size
  
  307KB
- MD5
  
  71e44db97d7e1d350965103abab9f962
- SHA1
  
  f7c5db5f8c1e383cf62c41afa49c1f2dfabe0953
- SHA256
  
  64f2a6308c94b35be90cc1085538912c33956c06182756cd324f6874ae6c62f6
- SHA512
  
  0c3c296a495ecf45c0d31d0eb02fde8061d24f2dd75bed295dab74aab3ef2126e235abbdc6a4699661dacbab51fcf7d6fc19c63098002c4b6985131b170c1be0
- SSDEEP
  
  6144:BHfqDye3NCT8yGjm04y0O12udoEUA89bNM6InMI:FiCgD4wldEnM6InMI
Score

10^/10

warzonerat collection infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratcollectioninfostealerpersistencerat

behavioral2

warzoneratcollectioninfostealerpersistencerat

© 2018-2024

Terms | Privacy