warzonerat | 73a4aa86764da7b0fc32b8112040098b1a691a83a0f5168afccbc34d184b50e5 | Triage

Submit
Reports

Overview

overview

Static

static

1

QUOTATION_...cr.exe

windows7-x64

QUOTATION_...cr.exe

windows10-2004-x64

Sharing

General

Target

QUOTATION_ APRL 310377FIBA00541_PDF.scr.exe
Size

1.8MB
Sample

230405-wslxpagf32
MD5

657ecefa96e9e2aad4975964339f6d88
SHA1

c041038ccc3ec0bb069c8200ca80f0b8345f8361
SHA256

73a4aa86764da7b0fc32b8112040098b1a691a83a0f5168afccbc34d184b50e5
SHA512

898c6f5120db52bcbfb8423f2e5083c129b486855248f9bc47b82dd14fa096297b4902d7d09e897fc3b3f55b8a53e3d15a629a41078be8d4c47bcefb2f893027
SSDEEP

24576:1xYG/b9jNHjWdBxhtvS77w4gl0HA4QE6HsIyoUZ8pdyC2cyft0jFFwSnDB6COT+N:o2qPtvq7wNl0pMQwdqvi/oQlw

Score

10^/10

warzonerat collection infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

QUOTATION_ APRL 310377FIBA00541_PDF.scr.exe

Resource

win7-20230220-en

warzonerat collection infostealer persistence rat

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

QUOTATION_ APRL 310377FIBA00541_PDF.scr.exe

Resource

win10v2004-20230220-en

warzonerat collection infostealer persistence rat

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

152.89.160.131:47795

Targets

- Target
  
  QUOTATION_ APRL 310377FIBA00541_PDF.scr.exe
- Size
  
  1.8MB
- MD5
  
  657ecefa96e9e2aad4975964339f6d88
- SHA1
  
  c041038ccc3ec0bb069c8200ca80f0b8345f8361
- SHA256
  
  73a4aa86764da7b0fc32b8112040098b1a691a83a0f5168afccbc34d184b50e5
- SHA512
  
  898c6f5120db52bcbfb8423f2e5083c129b486855248f9bc47b82dd14fa096297b4902d7d09e897fc3b3f55b8a53e3d15a629a41078be8d4c47bcefb2f893027
- SSDEEP
  
  24576:1xYG/b9jNHjWdBxhtvS77w4gl0HA4QE6HsIyoUZ8pdyC2cyft0jFFwSnDB6COT+N:o2qPtvq7wNl0pMQwdqvi/oQlw
Score

10^/10

warzonerat collection infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratcollectioninfostealerpersistencerat

behavioral2

warzoneratcollectioninfostealerpersistencerat

© 2018-2024

Terms | Privacy