warzonerat | 369e794e05e0d7c9bba6dde5009848087a2cd5e8bf77583d391e0e51d21a52cd | Triage

Submit
Reports

Overview

overview

Static

static

3

f6e2893312...18.exe

windows7-x64

f6e2893312...18.exe

windows10-2004-x64

7

Sharing

General

Target

f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118
Size

305KB
Sample

240418-akyevscg6t
MD5

f6e2893312dc8bb664c183fcc93990bb
SHA1

72c03600b7fcab33db83644153a9376f6aae5914
SHA256

369e794e05e0d7c9bba6dde5009848087a2cd5e8bf77583d391e0e51d21a52cd
SHA512

dbe72bd9d0851176e20091842b1505e650034ce4b1a98dfc13d09cbb92cc45a8db67418ff7db88a4a5451363c74189bf86efe227ec52b6901e1b188bae07baf0
SSDEEP

6144:qrPvxOIE9jeOn3jEapL6wAOGNGE81/2I/TYtCC:qbvx+9jZoDwmGRuIhC

Score

10^/10

warzonerat infostealer persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe

Resource

win7-20240221-en

warzonerat infostealer persistence rat

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118.exe

Resource

win10v2004-20240412-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

64.188.13.46:13372

Targets

- Target
  
  f6e2893312dc8bb664c183fcc93990bb_JaffaCakes118
- Size
  
  305KB
- MD5
  
  f6e2893312dc8bb664c183fcc93990bb
- SHA1
  
  72c03600b7fcab33db83644153a9376f6aae5914
- SHA256
  
  369e794e05e0d7c9bba6dde5009848087a2cd5e8bf77583d391e0e51d21a52cd
- SHA512
  
  dbe72bd9d0851176e20091842b1505e650034ce4b1a98dfc13d09cbb92cc45a8db67418ff7db88a4a5451363c74189bf86efe227ec52b6901e1b188bae07baf0
- SSDEEP
  
  6144:qrPvxOIE9jeOn3jEapL6wAOGNGE81/2I/TYtCC:qbvx+9jZoDwmGRuIhC
Score

10^/10

warzonerat infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

warzoneratinfostealerpersistencerat

behavioral2

© 2018-2024

Terms | Privacy