warzonerat | 2981f3ed5cbeaa8b767c3fb92f70ac33a4c90686d97e9a620fceb7ccddc62d5d | Triage

Submit
Reports

Overview

overview

Static

static

3

dc9cee9090...18.exe

windows7-x64

dc9cee9090...18.exe

windows10-2004-x64

Sharing

General

Target

dc9cee9090f9ddb4c04e83c474a8abc2_JaffaCakes118
Size

353KB
Sample

240912-tz19vatelb
MD5

dc9cee9090f9ddb4c04e83c474a8abc2
SHA1

feadd617e8a0927d126b2eae8b9dd65b7befaa0a
SHA256

2981f3ed5cbeaa8b767c3fb92f70ac33a4c90686d97e9a620fceb7ccddc62d5d
SHA512

19d4b9a18fa780b5a6c2880046cf14c8056f25b38b71ec5ad6ad0a8708b8119260f37c064c8405b4f0f484521c8e72884462a987bf82fcea4696bb8b8b6693e3
SSDEEP

6144:+k/VRLIumZzfDxzv5VWsc4IC6ZV2jdZnUJGVK8XazcsqbeJd7K0JWc0XmEBRkgW/:+k/V1IumZzfD55VWs3IC62jzAMK8gbyU

Score

10^/10

warzonerat discovery execution infostealer rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

dc9cee9090f9ddb4c04e83c474a8abc2_JaffaCakes118.exe

Resource

win7-20240903-en

warzonerat discovery execution infostealer rat

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

dc9cee9090f9ddb4c04e83c474a8abc2_JaffaCakes118.exe

Resource

win10v2004-20240802-en

warzonerat discovery execution infostealer rat

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

185.239.242.133:5200

Targets

- Target
  
  dc9cee9090f9ddb4c04e83c474a8abc2_JaffaCakes118
- Size
  
  353KB
- MD5
  
  dc9cee9090f9ddb4c04e83c474a8abc2
- SHA1
  
  feadd617e8a0927d126b2eae8b9dd65b7befaa0a
- SHA256
  
  2981f3ed5cbeaa8b767c3fb92f70ac33a4c90686d97e9a620fceb7ccddc62d5d
- SHA512
  
  19d4b9a18fa780b5a6c2880046cf14c8056f25b38b71ec5ad6ad0a8708b8119260f37c064c8405b4f0f484521c8e72884462a987bf82fcea4696bb8b8b6693e3
- SSDEEP
  
  6144:+k/VRLIumZzfDxzv5VWsc4IC6ZV2jdZnUJGVK8XazcsqbeJd7K0JWc0XmEBRkgW/:+k/V1IumZzfD55VWs3IC62jzAMK8gbyU
Score

10^/10

warzonerat discovery execution infostealer rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratdiscoveryexecutioninfostealerrat

behavioral2

warzoneratdiscoveryexecutioninfostealerrat

© 2018-2025

Terms | Privacy