warzonerat | 835e0693690b76b1b1a531df27eb86c7aa17dc18fb95e6ca955aa7e0f5f28776 | Triage

Submit
Reports

Overview

overview

Static

static

3

e0de0e4aa7...53.exe

windows7-x64

e0de0e4aa7...53.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

1ee12eccc9a411109d2e769532e3517f.bin
Size

847KB
Sample

230508-bgec9aac4y
MD5

f388fec0fb6b47d3de5ecff3387e0755
SHA1

38ed6f9f938e5cb794d0eac5a4064f6fd80ce02d
SHA256

835e0693690b76b1b1a531df27eb86c7aa17dc18fb95e6ca955aa7e0f5f28776
SHA512

34d8675b396e99155f3fcf78273fe6b19cc58001ebea6fb28896a41f07e8582deb085fe4b8d6010674ae345149d23ef67923baed2e225444226b486a5280b32a
SSDEEP

24576:h4KQ8lclw+h1Xqtm5WF8SOMnBOqaAUt7GjX+/9b:h4KQ8Slw+h1ymgvOMnjaAUt7o+/R

Score

10^/10

warzonerat collection infostealer persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

e0de0e4aa7cced3977ea3bd8fdd6d13350d6c888c2306e1c03ec63e95ac89f53.exe

Resource

win7-20230220-en

warzonerat collection infostealer persistence rat

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

e0de0e4aa7cced3977ea3bd8fdd6d13350d6c888c2306e1c03ec63e95ac89f53.exe

Resource

win10v2004-20230220-en

warzonerat collection infostealer persistence rat

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

2.58.47.203:17873

Targets

- Target
  
  e0de0e4aa7cced3977ea3bd8fdd6d13350d6c888c2306e1c03ec63e95ac89f53.exe
- Size
  
  1.6MB
- MD5
  
  1ee12eccc9a411109d2e769532e3517f
- SHA1
  
  7cd798042e61e5109833ecb08c768d5c713380a7
- SHA256
  
  e0de0e4aa7cced3977ea3bd8fdd6d13350d6c888c2306e1c03ec63e95ac89f53
- SHA512
  
  7cf527c5d1e86b93e2295f3404e43a50e1939d8bc1298fd2bbad44216844db937edb93ba973cd5c346bca0bab01909e503b9bc6400528d96e041a9e39e72e3cc
- SSDEEP
  
  24576:zUCTTQNA+eVic0EYGbmHZ8DTY2/fK+lV0vPrm:wWKLPemHZbsDo
Score

10^/10

warzonerat collection infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratcollectioninfostealerpersistencerat

behavioral2

warzoneratcollectioninfostealerpersistencerat

© 2018-2025

Terms | Privacy