warzonerat | 9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f | Triage

Sharing

General

Target

9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f
Size

10.6MB
Sample

240917-q24afawbne
MD5

584885e79b756d67adcacf22b63aa45f
SHA1

f82a8ccdd9c3249978b96bf97d246d093c0cdef7
SHA256

9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f
SHA512

11e8feaf2a5ec92b5270ed339a94cbd0d2911d4f3e68cf734bd55a9a3cb1135a51c543cfa08087438ab9f0b546bcdc5a2b5e127fe3c16b1463fec8834a42f794
SSDEEP

196608:PG9aKsMJK6aaZy/h2x4CI9Goz6VABDSrraGelaOV1HnkQpBtj8IxXDqQ7poZ:PnKsMJK65Y/h2x5Xoz6OBDgE5V1HkKto

Score

10^/10

warzonerat discovery infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

gggb.dvrdns.org:1515

Targets

- Target
  
  9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f
- Size
  
  10.6MB
- MD5
  
  584885e79b756d67adcacf22b63aa45f
- SHA1
  
  f82a8ccdd9c3249978b96bf97d246d093c0cdef7
- SHA256
  
  9c88e3f3ded8c11a4087ba940868b310936d7b763885b4f50b9fe7a8701f722f
- SHA512
  
  11e8feaf2a5ec92b5270ed339a94cbd0d2911d4f3e68cf734bd55a9a3cb1135a51c543cfa08087438ab9f0b546bcdc5a2b5e127fe3c16b1463fec8834a42f794
- SSDEEP
  
  196608:PG9aKsMJK6aaZy/h2x4CI9Goz6VABDSrraGelaOV1HnkQpBtj8IxXDqQ7poZ:PnKsMJK65Y/h2x5Xoz6OBDgE5V1HkKto
Score

10^/10

warzonerat discovery infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates processes with tasklist
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Process Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratdiscoveryinfostealerpersistencerat

behavioral2

warzoneratdiscoveryinfostealerpersistencerat