warzonerat | 8de8b8e1049c4587c0598707963f7d92d4c171b931c7f787471603e19a8523fe

General

Target

undercover.zip
Size

557KB
Sample

240506-envwcsgd91
MD5

c11c465450d19380a20c985896bca258
SHA1

c38a3ac2e284865cd95f8b7d375f2e9d930b3873
SHA256

8de8b8e1049c4587c0598707963f7d92d4c171b931c7f787471603e19a8523fe
SHA512

8a1eb23e9bd8b7be5046b7b19d4ad5d7d80a74ed9ac2678806a0100981febde8cde6ee530a027b6292d72cd14e10f053f6b0a1667ae9bd9bc7e2c39fdfa8b588
SSDEEP

12288:41cXKEbeZR7dvFhJxch5eEAU4M4QR07upEOtS7MNtjICtpfS+J0F:Uca22hhshkjnjuSRgNtU6qqY

Score

10^/10

Malware Config

Extracted

Family

warzonerat

C2

93.123.118.3:65535

Targets

- Target
  
  undercover.zip
- Size
  
  557KB
- MD5
  
  c11c465450d19380a20c985896bca258
- SHA1
  
  c38a3ac2e284865cd95f8b7d375f2e9d930b3873
- SHA256
  
  8de8b8e1049c4587c0598707963f7d92d4c171b931c7f787471603e19a8523fe
- SHA512
  
  8a1eb23e9bd8b7be5046b7b19d4ad5d7d80a74ed9ac2678806a0100981febde8cde6ee530a027b6292d72cd14e10f053f6b0a1667ae9bd9bc7e2c39fdfa8b588
- SSDEEP
  
  12288:41cXKEbeZR7dvFhJxch5eEAU4M4QR07upEOtS7MNtjICtpfS+J0F:Uca22hhshkjnjuSRgNtU6qqY
Score

1^/10
behavioral1 behavioral2
- Target
  
  undercover.exe
- Size
  
  642KB
- MD5
  
  c7dde9741228fbc2c317bae1ef4c8231
- SHA1
  
  26deeac180d6bf406bd004a718cbc86b1586c494
- SHA256
  
  d1d0a4c2a7489201006748a364e5cc6dca7b0721dbce83c54566c555bc56ca68
- SHA512
  
  05508db7f290282c91d461b7284c1856ee9ad2e042dc57f9203f79374492ba69c457985177d9e11195758680b6c211261fa7df2662c380edb1bb0b3678e1139e
- SSDEEP
  
  12288:y0WWObW5cBj7O56jp7t8c6B5wAmjPDynKr7fP7E3caoAqI+lRW:l4JugjEc6B5wT6KrL7E3hVElR
Score

10^/10

warzonerat execution infostealer rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

WarzoneRat, AveMaria

Warzone RAT payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4