warzonerat | dbe7fdd2f0e7270387053d2955f549a46a6699b29ece6b3ff20a6bd11c06064b | Triage

Submit
Reports

Overview

overview

Static

static

3

PaymentSli...pt.exe

windows7-x64

PaymentSli...pt.exe

windows10-2004-x64

Sharing

General

Target

PaymentSlipReveipt.exe
Size

308KB
Sample

230606-cjebpsbf45
MD5

27c962bc41886b2fae4c822abfc796bc
SHA1

e14f67bfe3b1cf5e9197b5e8437b23cdb141e0d9
SHA256

dbe7fdd2f0e7270387053d2955f549a46a6699b29ece6b3ff20a6bd11c06064b
SHA512

145e6946970c9167a14bfb517cea653b7843e89dc5d77723cb3abd51d40af9ccea4a0996a88bea8c2e1aae55811640135d37ebbf83ad458ec7ca5c8b3c35098b
SSDEEP

6144:SYa6AvUotjvBsR61qoro5PBcxwN15a4Vr:SYYzjeRAqjcCBr

Score

10^/10

warzonerat collection evasion infostealer persistence rat spyware stealer upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

PaymentSlipReveipt.exe

Resource

win7-20230220-en

warzonerat evasion infostealer persistence rat upx

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

PaymentSlipReveipt.exe

Resource

win10v2004-20230220-en

warzonerat collection evasion infostealer persistence rat spyware stealer upx

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

194.180.48.228:5200

Targets

- Target
  
  PaymentSlipReveipt.exe
- Size
  
  308KB
- MD5
  
  27c962bc41886b2fae4c822abfc796bc
- SHA1
  
  e14f67bfe3b1cf5e9197b5e8437b23cdb141e0d9
- SHA256
  
  dbe7fdd2f0e7270387053d2955f549a46a6699b29ece6b3ff20a6bd11c06064b
- SHA512
  
  145e6946970c9167a14bfb517cea653b7843e89dc5d77723cb3abd51d40af9ccea4a0996a88bea8c2e1aae55811640135d37ebbf83ad458ec7ca5c8b3c35098b
- SSDEEP
  
  6144:SYa6AvUotjvBsR61qoro5PBcxwN15a4Vr:SYYzjeRAqjcCBr
Score

10^/10

warzonerat evasion infostealer persistence rat upx collection spyware stealer
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Modifies Windows Firewall
  evasion
- Sets DLL path for service in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratevasioninfostealerpersistenceratupx

behavioral2

warzoneratcollectionevasioninfostealerpersistenceratspywarestealerupx

© 2018-2025

Terms | Privacy