warzonerat | cbc1ab5e7d636a1280f51234993a689161ed659e2f28341a5da6b2a4d712dd34 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

Purchase O...33.exe

windows7-x64

Purchase O...33.exe

windows10-2004-x64

Sharing

General

Target

Purchase Order #PO-RBL-156502125498590-0333.7z
Size

24KB
Sample

231012-e2b1eagg82
MD5

9c484f7fd51710c30da8269f8266760b
SHA1

c7e393e110c34a378fdecf3dae9f1a58ef96fd51
SHA256

cbc1ab5e7d636a1280f51234993a689161ed659e2f28341a5da6b2a4d712dd34
SHA512

6727dde34ab1a99324ebeca2c6d689b6c57a54f1d6afeb6ffe99ebabd4bace6a635fa966a6f67966a2b5f617b009703b008868e729c5c1b6a02ffc0723f9d634
SSDEEP

768:f5Ai5aopoStmhyqGaoDlanja5i5C/D5wpbR157oKG:fWi5afLDja5NVwpdnoz

Score

10^/10

warzonerat infostealer persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Purchase Order #PO-RBL-156502125498590-0333.exe

Resource

win7-20230831-en

warzonerat infostealer persistence rat

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

Purchase Order #PO-RBL-156502125498590-0333.exe

Resource

win10v2004-20230915-en

warzonerat infostealer persistence rat

windows10-2004-x64

7 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

84.38.132.126:63030

Targets

- Target
  
  Purchase Order #PO-RBL-156502125498590-0333.exe
- Size
  
  86KB
- MD5
  
  535f5cf42f36a22ffa738a56a4fdf161
- SHA1
  
  c3578651fb4f0720b4d14ecd5d9427aaff60b4fc
- SHA256
  
  0654a66a1584a3924f5020f6bf641d1cd3a93864e040a15e13f3e5a07290817f
- SHA512
  
  0eb296089610afd75dcf60197df0a4b063c81cc2aa5c4763ef1f5f988653c46f643c8bb3969f42a938d1c0408d3423ef6bf4885e80ccffff6548753cbc8933a8
- SSDEEP
  
  1536:8w1IXWFN5/V7LVV9zaaavghKd9QzGBa+/bVGpGR1T:8w1IXW5/V3z9zHAOnQ7T
Score

10^/10

warzonerat infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratinfostealerpersistencerat

behavioral2

warzoneratinfostealerpersistencerat

© 2018-2025

Terms | Privacy