warzonerat | de716a5e98013894445471b78da71e1a68739adb4573ec3e4d01c110ee41b957 | Triage

Submit
Reports

Overview

overview

Static

static

1

PO No 4000302979.rtf

windows7-x64

PO No 4000302979.rtf

windows10-2004-x64

1

Sharing

Copy URL Twitter E-mail

General

Target

PO No 4000302979.doc
Size

82KB
Sample

230616-q2xgwseh9v
MD5

10cd284660133c5f8f33cc4cccc0f34f
SHA1

5baa5806ea5b7eb7da3d7b89910f48922da579b9
SHA256

de716a5e98013894445471b78da71e1a68739adb4573ec3e4d01c110ee41b957
SHA512

1d0446c03b12308dad5b667d24e7a0d648284a6a1c1a647f3c07b4ec7bb7bbdeb25d1f08225c1a05cc84ab2f0025559a26314d37d5b3d9b5ac54562b92fb9236
SSDEEP

1536:sZMVZ0XrRo57uHQOuiI838wahKC+UBcGJBxWnj+xU2HXDGPqtVkuE5gcM/:sZoZ0Xa7uwv8sVhKC+DABxWnj+xbHXmO

Score

10^/10

warzonerat infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

PO No 4000302979.rtf

Resource

win7-20230220-en

warzonerat infostealer persistence rat

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

PO No 4000302979.rtf

Resource

win10v2004-20230220-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

ifedinma.duckdns.org:6060

Targets

- Target
  
  PO No 4000302979.doc
- Size
  
  82KB
- MD5
  
  10cd284660133c5f8f33cc4cccc0f34f
- SHA1
  
  5baa5806ea5b7eb7da3d7b89910f48922da579b9
- SHA256
  
  de716a5e98013894445471b78da71e1a68739adb4573ec3e4d01c110ee41b957
- SHA512
  
  1d0446c03b12308dad5b667d24e7a0d648284a6a1c1a647f3c07b4ec7bb7bbdeb25d1f08225c1a05cc84ab2f0025559a26314d37d5b3d9b5ac54562b92fb9236
- SSDEEP
  
  1536:sZMVZ0XrRo57uHQOuiI838wahKC+UBcGJBxWnj+xU2HXDGPqtVkuE5gcM/:sZoZ0Xa7uwv8sVhKC+DABxWnj+xbHXmO
Score

10^/10

warzonerat infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratinfostealerpersistencerat

behavioral2

© 2018-2025

Terms | Privacy