warzonerat | 6f71eb8899083e2d40607c4a7133fc84e463d20a85373b8d57ce527c6b8dbfab | Triage

Sharing

General

Target

6f71eb8899083e2d40607c4a7133fc84e463d20a85373b8d57ce527c6b8dbfab
Size

43KB
Sample

241014-x1vegawanp
MD5

4cc98a0e3036f8130c4f3c91c1bb096c
SHA1

2b3857ffee999f6ab379de0322f36f5448925f41
SHA256

6f71eb8899083e2d40607c4a7133fc84e463d20a85373b8d57ce527c6b8dbfab
SHA512

28e29e9b4978a71c29ff6c72a1729ae123058ef8954ca9fef5e8fc503f85bf1712b80393f45c755c153c2678d97dfd9db6a49007684cb47a13c340af99a6247b
SSDEEP

768:FeE0XUczc56lC/CH2N2YEJmvT5AbeeO7jcyZgMbX1VdJPP6pgOdE:FeEixzc5zdN2YCmvTSqeOfc+g+RJPcgr

Score

10^/10

warzonerat collection discovery execution infostealer rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20

exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20

Extracted

Family

warzonerat

C2

109.248.151.156:2048

Targets

- Target
  
  Request for Order Confirmation.js
- Size
  
  132KB
- MD5
  
  cf48d5899c9295bffe75ae7a996827cb
- SHA1
  
  d11b50ea9e628393bc2ae2de9b92251c555bfaa3
- SHA256
  
  be6d11434ecb91728a1a8a19501378e1202f18f927430aa8f4ba4b4ea16dc04d
- SHA512
  
  02127309eaccaea558914137c1fd8cc7f57febc756b20f0164ae30659c10df5065760f05ffd19e1512427d716d2d9e122cdcf64524d35b8501257e0a636f59c2
- SSDEEP
  
  3072:lN0l/ZP90LxFAsyYgQ/yNvyrr5Ae0FNoQVN0l/ZP90LxFAsyYgh:kZClF+1QW21zKF0ZClF+1h
Score

10^/10

execution warzonerat collection discovery infostealer rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

warzoneratcollectiondiscoveryexecutioninfostealerrat