warzonerat | b8918d875fce5e115789de89df2b5a33a7eba0ee8cf1d03824369984ffd8d967 | Triage

Submit
Reports

Overview

overview

Static

static

3

Purchase R...DF.scr

windows7-x64

Purchase R...DF.scr

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

b8918d875fce5e115789de89df2b5a33a7eba0ee8cf1d03824369984ffd8d967
Size

322KB
Sample

231012-tqv2gaag8w
MD5

17f3a4ae61fa948b6b9cc3f5886615e2
SHA1

11882ed9d1aecb43ae304e2c5ab1bdba7b1507be
SHA256

b8918d875fce5e115789de89df2b5a33a7eba0ee8cf1d03824369984ffd8d967
SHA512

2fb9a3e822e1ed91f5e9adbdd07799b82bfb636d8f42dadaab5fd8958045d6c265fba7a813f7bd3f9e1bed4f8a0155fd5345504f1b4964421ca7a62b7e1c1557
SSDEEP

6144:u7qmr5VJnr2SmvZf2YMwvkSjgJlWSLkOHGg3ngXdeTxsFJuL6xPZ:u7q6HJmvZe3wh8JlWSFHnSdeFAJu2Z

Score

10^/10

warzonerat collection infostealer persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Purchase Request LIST_T7FIBA00541·PDF.scr

Resource

win7-20230831-en

warzonerat collection infostealer persistence rat

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

Purchase Request LIST_T7FIBA00541·PDF.scr

Resource

win10v2004-20230915-en

warzonerat collection infostealer persistence rat

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

62.102.148.158:62641

Targets

- Target
  
  Purchase Request LIST_T7FIBA00541·PDF.scr
- Size
  
  355KB
- MD5
  
  1fee9199dbf1e92b8cae1d7e9afacd1a
- SHA1
  
  13164ae4027514d2b172f6069c59d2b54938380b
- SHA256
  
  d99d15e65b3dc0001e359d4375be1a28141aef7141dbc85d8f57180c36d63b61
- SHA512
  
  07b8e5a3113b40d5bc992c42c2feb157b54118a0096e97797279f9f251749cbc57df2d79fbf2d9b9c69f28c0f1f828aa745ac038780a41e144ba9ba2d4ada5ce
- SSDEEP
  
  6144:ILLolfJ3lRCufFLn0qZUNsJIjwrwWIK+krlMtqfKopwZncuc47:Ifef5lHtAqKN0Ijw8EOtqfKumPc4
Score

10^/10

warzonerat collection infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratcollectioninfostealerpersistencerat

behavioral2

warzoneratcollectioninfostealerpersistencerat

© 2018-2025

Terms | Privacy