warzonerat | 9ad5fb5c8f0b886ed22e202f5bcfd8e8c4d0617b270660d0907ca8c87ac2f0b7 | Triage

Submit
Reports

Overview

overview

Static

static

1

Company Profile.vbs

windows7-x64

Company Profile.vbs

windows10-2004-x64

Sharing

General

Target

Company Profile.vbs
Size

189KB
Sample

241007-fxk8ysxgpq
MD5

ee122a95d229ae3027779aaa863f11be
SHA1

46b92d71b1a3cfb213ea400f5e1e5cda0a7d7ce7
SHA256

9ad5fb5c8f0b886ed22e202f5bcfd8e8c4d0617b270660d0907ca8c87ac2f0b7
SHA512

4c088ea8528b6525fb284e42020e74c979c372f805495c23ee4c36635a2a6199203115ec5dbff523d0a1741a60e4612643aebadd44d81a288acd5a3c506b5cc6
SSDEEP

3072:c4ehYpD1tZytL6pMdHPppygt5ppGwt7iLnst+7PbcqMm+/QcZc51:c1eD1T4ZRWDcqj+/Q551

Score

10^/10

warzonerat collection discovery execution infostealer rat

Static task

static1

Behavioral task

behavioral1

Sample

Company Profile.vbs

Resource

win7-20240903-en

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

Company Profile.vbs

Resource

win10v2004-20240802-en

warzonerat collection discovery execution infostealer rat

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

exe.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

Extracted

Family

warzonerat

C2

109.248.151.156:2048

Targets

- Target
  
  Company Profile.vbs
- Size
  
  189KB
- MD5
  
  ee122a95d229ae3027779aaa863f11be
- SHA1
  
  46b92d71b1a3cfb213ea400f5e1e5cda0a7d7ce7
- SHA256
  
  9ad5fb5c8f0b886ed22e202f5bcfd8e8c4d0617b270660d0907ca8c87ac2f0b7
- SHA512
  
  4c088ea8528b6525fb284e42020e74c979c372f805495c23ee4c36635a2a6199203115ec5dbff523d0a1741a60e4612643aebadd44d81a288acd5a3c506b5cc6
- SSDEEP
  
  3072:c4ehYpD1tZytL6pMdHPppygt5ppGwt7iLnst+7PbcqMm+/QcZc51:c1eD1T4ZRWDcqj+/Q551
Score

10^/10

execution warzonerat collection discovery infostealer rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

warzoneratcollectiondiscoveryexecutioninfostealerrat

© 2018-2025

Terms | Privacy