warzonerat | e2c6f4f125601845be66489bb4d348bfd157eb1760ffb7e85a4117c58d0cd018 | Triage

Submit
Reports

Overview

overview

Static

static

3

INQUIRY009...xe.exe

windows7-x64

INQUIRY009...xe.exe

windows10-2004-x64

Sharing

General

Target

INQUIRY0092709092023exe.exe
Size

625KB
Sample

230704-qe6gaaeh6z
MD5

fe7ab7bf623f74792ce3be09ad7f8654
SHA1

cdcdd01a5e50fc09cb9159892300b7c9d3832b2b
SHA256

e2c6f4f125601845be66489bb4d348bfd157eb1760ffb7e85a4117c58d0cd018
SHA512

57a1e6c6453051a2c56b715609145a6e8ef568386a1e1331a811cda9a7234e1f5969b4842cf31a55ff49d8621fe2f839ca47509a427e07e8941cf3ce054b77e2
SSDEEP

12288:vfme2iN3pSuA7c88+LsQIo0teqi4oh3K7Unv:r1ZkuAxEcrNN

Score

10^/10

warzonerat collection infostealer persistence rat spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

INQUIRY0092709092023exe.exe

Resource

win7-20230703-en

warzonerat collection infostealer persistence rat spyware stealer

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

INQUIRY0092709092023exe.exe

Resource

win10v2004-20230703-en

warzonerat collection infostealer persistence rat spyware stealer

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

185.29.10.206:60567

Targets

- Target
  
  INQUIRY0092709092023exe.exe
- Size
  
  625KB
- MD5
  
  fe7ab7bf623f74792ce3be09ad7f8654
- SHA1
  
  cdcdd01a5e50fc09cb9159892300b7c9d3832b2b
- SHA256
  
  e2c6f4f125601845be66489bb4d348bfd157eb1760ffb7e85a4117c58d0cd018
- SHA512
  
  57a1e6c6453051a2c56b715609145a6e8ef568386a1e1331a811cda9a7234e1f5969b4842cf31a55ff49d8621fe2f839ca47509a427e07e8941cf3ce054b77e2
- SSDEEP
  
  12288:vfme2iN3pSuA7c88+LsQIo0teqi4oh3K7Unv:r1ZkuAxEcrNN
Score

10^/10

warzonerat collection infostealer persistence rat spyware stealer
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Sets DLL path for service in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratcollectioninfostealerpersistenceratspywarestealer

behavioral2

warzoneratcollectioninfostealerpersistenceratspywarestealer

© 2018-2025

Terms | Privacy