warzonerat | 6af7f530b868da31e2c20ab699720cc32e307bb21df009209bfd17499986edee | Triage

Submit
Reports

Overview

overview

Static

static

3

2024-09-08...er.exe

windows7-x64

2024-09-08...er.exe

windows10-2004-x64

Sharing

General

Target

2024-09-08_922e0ce72b23593266b0486c19a6f6f0_magniber
Size

10.6MB
Sample

240908-d91hastglq
MD5

922e0ce72b23593266b0486c19a6f6f0
SHA1

f0cb61f5fdc2c2d32f9d6155809ef2bcd629c154
SHA256

6af7f530b868da31e2c20ab699720cc32e307bb21df009209bfd17499986edee
SHA512

86a364059f8b8822577c46b5b884e465a57c210549e4ddab5fa3a105f5152f7ec687cb62f04f5a5ea4e014a3e036016498581d2a99c88e16961093b2df835c14
SSDEEP

98304:+YBKqmTVA7id7RyFZ+bhz4NjufFYBKqmTVA7id7RyFZ+bhz4NjufGpFK0U8AmJNl:5iTyybOSSiTyybOSMFKzYN

Score

10^/10

warzonerat discovery infostealer macro persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

2024-09-08_922e0ce72b23593266b0486c19a6f6f0_magniber.exe

Resource

win7-20240708-en

warzonerat discovery infostealer persistence rat

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

2024-09-08_922e0ce72b23593266b0486c19a6f6f0_magniber.exe

Resource

win10v2004-20240802-en

warzonerat discovery infostealer macro persistence rat

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

victorybelng.ddns.net:13900

Targets

- Target
  
  2024-09-08_922e0ce72b23593266b0486c19a6f6f0_magniber
- Size
  
  10.6MB
- MD5
  
  922e0ce72b23593266b0486c19a6f6f0
- SHA1
  
  f0cb61f5fdc2c2d32f9d6155809ef2bcd629c154
- SHA256
  
  6af7f530b868da31e2c20ab699720cc32e307bb21df009209bfd17499986edee
- SHA512
  
  86a364059f8b8822577c46b5b884e465a57c210549e4ddab5fa3a105f5152f7ec687cb62f04f5a5ea4e014a3e036016498581d2a99c88e16961093b2df835c14
- SSDEEP
  
  98304:+YBKqmTVA7id7RyFZ+bhz4NjufFYBKqmTVA7id7RyFZ+bhz4NjufGpFK0U8AmJNl:5iTyybOSSiTyybOSMFKzYN
Score

10^/10

warzonerat discovery infostealer persistence rat macro
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Suspicious Office macro
  Office document equipped with macros.
  macro
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratdiscoveryinfostealerpersistencerat

behavioral2

warzoneratdiscoveryinfostealermacropersistencerat

© 2018-2025

Terms | Privacy