warzonerat | c9df285477a2a0ef5ea934a5c3b0f94983e202aa82460e900fa203292ccab0b6 | Triage

Submit
Reports

Overview

overview

Static

static

3

07a2fb20a0...cs.exe

windows7-x64

07a2fb20a0...cs.exe

windows10-2004-x64

Sharing

General

Target

07a2fb20a014cd15f034a5ddd37fafd0_NeikiAnalytics.exe
Size

1.1MB
Sample

240526-2bttvsfb96
MD5

07a2fb20a014cd15f034a5ddd37fafd0
SHA1

28c9cc9c5a2126294746ca62e7302cbfe021544c
SHA256

c9df285477a2a0ef5ea934a5c3b0f94983e202aa82460e900fa203292ccab0b6
SHA512

89ccc247b401e0282842c9c76f2c37b60e343ecacdfc3d58cfd4b613500a49f1794e0a091120fd9e8050dc794e9ae616e62d5228d30a4f91c2bf2987b0413039
SSDEEP

24576:4mtwzzxFGaZtqS2xS65L36YPxpPj5LzXqliOzR:4mePxDqS2EvYPxp5Lzui

Score

10^/10

warzonerat execution infostealer rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

07a2fb20a014cd15f034a5ddd37fafd0_NeikiAnalytics.exe

Resource

win7-20240508-en

warzonerat execution infostealer rat

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

07a2fb20a014cd15f034a5ddd37fafd0_NeikiAnalytics.exe

Resource

win10v2004-20240508-en

warzonerat execution infostealer rat

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

thebeast415.duckdns.org:4036

Targets

- Target
  
  07a2fb20a014cd15f034a5ddd37fafd0_NeikiAnalytics.exe
- Size
  
  1.1MB
- MD5
  
  07a2fb20a014cd15f034a5ddd37fafd0
- SHA1
  
  28c9cc9c5a2126294746ca62e7302cbfe021544c
- SHA256
  
  c9df285477a2a0ef5ea934a5c3b0f94983e202aa82460e900fa203292ccab0b6
- SHA512
  
  89ccc247b401e0282842c9c76f2c37b60e343ecacdfc3d58cfd4b613500a49f1794e0a091120fd9e8050dc794e9ae616e62d5228d30a4f91c2bf2987b0413039
- SSDEEP
  
  24576:4mtwzzxFGaZtqS2xS65L36YPxpPj5LzXqliOzR:4mePxDqS2EvYPxp5Lzui
Score

10^/10

warzonerat execution infostealer rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratexecutioninfostealerrat

behavioral2

warzoneratexecutioninfostealerrat

© 2018-2024

Terms | Privacy