warzonerat | daf0f1674f1796eec5b3a386424ab8e8818513f45c6e7257a2ab163c7c95087c | Triage

Submit
Reports

Overview

overview

Static

static

3

rUienrbalkhdy.exe

windows7-x64

rUienrbalkhdy.exe

windows10-2004-x64

Sharing

General

Target

rUienrbalkhdy.exe
Size

31KB
Sample

231220-alhe2abder
MD5

fab2eba0f5683ce922b6c2f9e5181e23
SHA1

02262d9147e7930eb50c687ede1ffd0cb5d68892
SHA256

daf0f1674f1796eec5b3a386424ab8e8818513f45c6e7257a2ab163c7c95087c
SHA512

e9c68fe5435eb9101c1afe9f8e2ae1a20774178eae0ef59ed986a5fc8750d9eef7621783b6200ba3d914baca86298db4151d8202c2561d77ba2d2d61031384c1
SSDEEP

768:F2dwnmxKPky5Oe58zwWXMdA5Vcnn9z1X:BdvadXMy5GnnN1X

Score

10^/10

warzonerat collection infostealer persistence rat spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

rUienrbalkhdy.exe

Resource

win7-20231215-en

warzonerat collection infostealer persistence rat spyware stealer

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

rUienrbalkhdy.exe

Resource

win10v2004-20231215-en

warzonerat collection infostealer persistence rat spyware stealer

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

109.248.151.69:42255

Targets

- Target
  
  rUienrbalkhdy.exe
- Size
  
  31KB
- MD5
  
  fab2eba0f5683ce922b6c2f9e5181e23
- SHA1
  
  02262d9147e7930eb50c687ede1ffd0cb5d68892
- SHA256
  
  daf0f1674f1796eec5b3a386424ab8e8818513f45c6e7257a2ab163c7c95087c
- SHA512
  
  e9c68fe5435eb9101c1afe9f8e2ae1a20774178eae0ef59ed986a5fc8750d9eef7621783b6200ba3d914baca86298db4151d8202c2561d77ba2d2d61031384c1
- SSDEEP
  
  768:F2dwnmxKPky5Oe58zwWXMdA5Vcnn9z1X:BdvadXMy5GnnN1X
Score

10^/10

warzonerat collection infostealer persistence rat spyware stealer
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratcollectioninfostealerpersistenceratspywarestealer

behavioral2

warzoneratcollectioninfostealerpersistenceratspywarestealer

© 2018-2025

Terms | Privacy