warzonerat | 1407f0dec740aaeec061ec96604c87e50ae97d46e502e559cf1b60840df42a9e

General

Target

1407f0dec740aaeec061ec96604c87e50ae97d46e502e559cf1b60840df42a9e
Size

448KB
Sample

240417-p4s2tahe5x
MD5

287f2c6b96eef4a1917c7509005a3c8b
SHA1

3357e04b0183ff356ad04366232311c42c1a91fc
SHA256

1407f0dec740aaeec061ec96604c87e50ae97d46e502e559cf1b60840df42a9e
SHA512

36748788f22219d7d062c37f9d28c2d37aad2c5c98ad95ea3f5ef952d7cd7567e5ee19b535eb2b75c46bd65590a146fa40d01dc10ad7c816f85edca5ddff0c67
SSDEEP

12288:irEQVEVHQC4eLVuHFXON1rZ0K6UsT/TQ6qf4WGV8V:9HQJeQHoPV6JLQTYg

Score

10^/10

Malware Config

Extracted

Family

warzonerat

C2

96.9.225.105:61861

Targets

- Target
  
  3c6bbdfafb3857e5850e95629d00542fd40df0b0a2ede2d49b204158d3e1cea1.exe
- Size
  
  523KB
- MD5
  
  0b37c260284040ee0beb1549da143fb5
- SHA1
  
  9ae52f766f75f704a28e4dd4a5fd23ba6cc1548b
- SHA256
  
  3c6bbdfafb3857e5850e95629d00542fd40df0b0a2ede2d49b204158d3e1cea1
- SHA512
  
  4433ba8bef7b41b70607d332a005c21472955b7d6caea68be6dfd5fdf0acdcda69fa72a121575997cc26b64db62d444d07dd386eeb2bf0cd75667ec95cf7d3ad
- SSDEEP
  
  12288:KbNmJ8L4M58gAzcEHIksyBR3l1iAddpPW7rCMtvXpnh:We8L4MPAzfHBR3lkCcrCWXJh
Score

10^/10

warzonerat collection infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Buffisternes.Muj
- Size
  
  60KB
- MD5
  
  536404b62f83ffc1c1ab96b8702ac936
- SHA1
  
  e3fcddb4a59854532c9628fb842a89e44600d4df
- SHA256
  
  2257be627271ea9c32361cfcdb142ccb3b807d841dbfc04c08356cd1d8336600
- SHA512
  
  5e4f55571925250785b7674552960883841caf0ae0949a788d3afaf38494aab49f3838eb2f17a6138f4131ffd9f995a153d1676fc382734fde2b83d43d94663d
- SSDEEP
  
  768:XRG7q21ttLI7+7VD+oVBbRSI2K4bdIhyjxmFlcikC5pV5tZNN8WUM00WjCi/IDeQ:XRG7q2bt0KJD+obmBIhSqLL3NvGbnt2x
Score

8^/10

persistence
- Modifies Installed Components in the registry
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4