warzonerat | cda918fabf2f34622ac937e0b97b218217255d3c380dd5ee630e386fd0920ac3 | Triage

Submit
Reports

Overview

overview

Static

static

3

3f48755a19...18.exe

windows7-x64

3f48755a19...18.exe

windows10-2004-x64

Sharing

General

Target

3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118
Size

858KB
Sample

240513-npqsgade45
MD5

3f48755a19953e9c0e5e4b7436086e3e
SHA1

6eebacf37d21aaa8b808fff8fcc97ebdd62915c3
SHA256

cda918fabf2f34622ac937e0b97b218217255d3c380dd5ee630e386fd0920ac3
SHA512

53a3c86c611452fa9fcef8ba7b33b8899e5e0fbbddf80dba66a26c0da062a2d0b704d4d7a18fadde55e9f8c594d6649988012e55157ca8095f00dcf68c67fcbf
SSDEEP

24576:uFFq+b5j65eH6Q2as94X4KzDkJkdvQmwzOP:jeaQ2Jo

Score

10^/10

warzonerat infostealer rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe

Resource

win7-20240508-en

warzonerat infostealer rat

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118.exe

Resource

win10v2004-20240508-en

warzonerat infostealer rat

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

khan041.freeddns.org:3472

Targets

- Target
  
  3f48755a19953e9c0e5e4b7436086e3e_JaffaCakes118
- Size
  
  858KB
- MD5
  
  3f48755a19953e9c0e5e4b7436086e3e
- SHA1
  
  6eebacf37d21aaa8b808fff8fcc97ebdd62915c3
- SHA256
  
  cda918fabf2f34622ac937e0b97b218217255d3c380dd5ee630e386fd0920ac3
- SHA512
  
  53a3c86c611452fa9fcef8ba7b33b8899e5e0fbbddf80dba66a26c0da062a2d0b704d4d7a18fadde55e9f8c594d6649988012e55157ca8095f00dcf68c67fcbf
- SSDEEP
  
  24576:uFFq+b5j65eH6Q2as94X4KzDkJkdvQmwzOP:jeaQ2Jo
Score

10^/10

warzonerat infostealer rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratinfostealerrat

behavioral2

warzoneratinfostealerrat

© 2018-2024

Terms | Privacy