warzonerat | 750aa88d28de9fcbf28b9e21c82f2d56701ffe8f02d8ec975539e4cae1a1972e | Triage

Submit
Reports

Overview

overview

Static

static

3

e4a50ac640...0N.exe

windows7-x64

8

e4a50ac640...0N.exe

windows10-2004-x64

Sharing

General

Target

e4a50ac640ca22cea06d0d212be4e5f0N.exe
Size

6.7MB
Sample

240906-e4dxsawenr
MD5

e4a50ac640ca22cea06d0d212be4e5f0
SHA1

3d7944cc986d93000d9835617c927dac10e55b31
SHA256

750aa88d28de9fcbf28b9e21c82f2d56701ffe8f02d8ec975539e4cae1a1972e
SHA512

5ebbf586d3c48d5f1a893841d93aa52f71a2cf570c80350416b86251c38e42103edefa169d7c498fb41dde2af6d51260955d98a2e03b8154f239d39a95ff86f5
SSDEEP

98304:giUupNGhzkE7R7iUupNGhzkE7RR/fh6ImzzJoDfuBcMv+A73XA:Y+GhzkE71+GhzkE7jHh6ImzD+F

Score

10^/10

warzonerat discovery execution infostealer persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

e4a50ac640ca22cea06d0d212be4e5f0N.exe

Resource

win7-20240704-en

discovery execution

windows7-x64

7 signatures

120 seconds

Behavioral task

behavioral2

Sample

e4a50ac640ca22cea06d0d212be4e5f0N.exe

Resource

win10v2004-20240802-en

warzonerat discovery execution infostealer persistence rat

windows10-2004-x64

18 signatures

120 seconds

Malware Config

Targets

- Target
  
  e4a50ac640ca22cea06d0d212be4e5f0N.exe
- Size
  
  6.7MB
- MD5
  
  e4a50ac640ca22cea06d0d212be4e5f0
- SHA1
  
  3d7944cc986d93000d9835617c927dac10e55b31
- SHA256
  
  750aa88d28de9fcbf28b9e21c82f2d56701ffe8f02d8ec975539e4cae1a1972e
- SHA512
  
  5ebbf586d3c48d5f1a893841d93aa52f71a2cf570c80350416b86251c38e42103edefa169d7c498fb41dde2af6d51260955d98a2e03b8154f239d39a95ff86f5
- SSDEEP
  
  98304:giUupNGhzkE7R7iUupNGhzkE7RR/fh6ImzzJoDfuBcMv+A73XA:Y+GhzkE71+GhzkE7jHh6ImzD+F
Score

10^/10

discovery execution warzonerat infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

warzoneratdiscoveryexecutioninfostealerpersistencerat

© 2018-2025

Terms | Privacy