warzonerat | 18c71c0ddb3865bab4874bc60e18869e791f95dcc48db64afbcdc07b7a83165e | Triage

Sharing

Copy URL Twitter E-mail

General

Target

donexx.exe
Size

602KB
Sample

230825-v25kqaff7z
MD5

f561af5ec94b44e66e8a1792371fd87b
SHA1

6920b6dffc67a5e11d2b48588515a953b0f5fa7c
SHA256

18c71c0ddb3865bab4874bc60e18869e791f95dcc48db64afbcdc07b7a83165e
SHA512

536372ce5823a209edc5d9cfabf84b23ea742994bce37b6f513f427d291f4958d66aed4127935bd81a4c682f4c54e3253a070d20ee4199f7c7b857a4e59e67a1
SSDEEP

12288:uSfXuXOAC7le3zjXljw/Vq6F6CjtuVu/jmh:uEXuXOASEjj1M/tsVu/jQ

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

45.162.228.171:26112

Targets

- Target
  
  donexx.exe
- Size
  
  602KB
- MD5
  
  f561af5ec94b44e66e8a1792371fd87b
- SHA1
  
  6920b6dffc67a5e11d2b48588515a953b0f5fa7c
- SHA256
  
  18c71c0ddb3865bab4874bc60e18869e791f95dcc48db64afbcdc07b7a83165e
- SHA512
  
  536372ce5823a209edc5d9cfabf84b23ea742994bce37b6f513f427d291f4958d66aed4127935bd81a4c682f4c54e3253a070d20ee4199f7c7b857a4e59e67a1
- SSDEEP
  
  12288:uSfXuXOAC7le3zjXljw/Vq6F6CjtuVu/jmh:uEXuXOASEjj1M/tsVu/jQ
Score

10^/10

warzonerat infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratinfostealerpersistencerat

behavioral2