warzonerat | 0e3e551f81d8d908b962ee77ab0ba388b98997b59559a760473defbc33bdfa13 | Triage

Submit
Reports

Overview

overview

Static

static

1

QUOTATION_...DF.scr

windows7-x64

QUOTATION_...DF.scr

windows10-2004-x64

Sharing

General

Target

QUOTATION_ APRL 310377FIBA00541.xz
Size

1.0MB
Sample

230405-xj7cpsgh65
MD5

40c1c7cc552d4ac05aefcee9cc37b0ce
SHA1

d16b3e93c6772c8e487763401481e975d684fc98
SHA256

0e3e551f81d8d908b962ee77ab0ba388b98997b59559a760473defbc33bdfa13
SHA512

14fc8e13bc40bc8efee9a86e1c516d42bd429aea9788722ae9afce75d404cb7f43604dd08551c170e446ec7e1a39c84290d7f357565f2e065ff6320e2446ef42
SSDEEP

24576:PwtMqjAv7glzFZxQWtXP+lwyYNQj6XaaK+vf:YMAAvIdZGlwh9N

Score

10^/10

warzonerat collection infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

QUOTATION_ APRL 310377FIBA00541_PDF.scr

Resource

win7-20230220-en

warzonerat collection infostealer persistence rat

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

QUOTATION_ APRL 310377FIBA00541_PDF.scr

Resource

win10v2004-20230220-en

warzonerat collection infostealer persistence rat

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

152.89.160.131:47795

Targets

- Target
  
  QUOTATION_ APRL 310377FIBA00541_PDF.scr
- Size
  
  1.8MB
- MD5
  
  657ecefa96e9e2aad4975964339f6d88
- SHA1
  
  c041038ccc3ec0bb069c8200ca80f0b8345f8361
- SHA256
  
  73a4aa86764da7b0fc32b8112040098b1a691a83a0f5168afccbc34d184b50e5
- SHA512
  
  898c6f5120db52bcbfb8423f2e5083c129b486855248f9bc47b82dd14fa096297b4902d7d09e897fc3b3f55b8a53e3d15a629a41078be8d4c47bcefb2f893027
- SSDEEP
  
  24576:1xYG/b9jNHjWdBxhtvS77w4gl0HA4QE6HsIyoUZ8pdyC2cyft0jFFwSnDB6COT+N:o2qPtvq7wNl0pMQwdqvi/oQlw
Score

10^/10

warzonerat collection infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

warzoneratcollectioninfostealerpersistencerat

behavioral2

warzoneratcollectioninfostealerpersistencerat

© 2018-2024

Terms | Privacy