warzonerat | 325be1d623422763b0e16bc3c294cc5c006f6fb2ff8ddbf9eb0e45f8d8ac6853 | Triage

Submit
Reports

Overview

overview

Static

static

3

Purchase#O...df.exe

windows7-x64

Purchase#O...df.exe

windows10-2004-x64

Sharing

General

Target

Purchase#Order630080.pdf.exe
Size

870KB
Sample

241101-t2dlka1ley
MD5

76a9764d18535113e206f661a70764a3
SHA1

cbb20d9ad86fa8374553203efff7d6baadfaeaa7
SHA256

325be1d623422763b0e16bc3c294cc5c006f6fb2ff8ddbf9eb0e45f8d8ac6853
SHA512

4952c1cc85464b54bc55a1272a763e3a93c48cd3576f53e9212d746ab1dfffdf8925095526ff9b2c2039dd40d59162540a7c39d04eb1b83fb0cb99fa6185dcb0
SSDEEP

12288:GvfVhpeMc5IFhtCIUQvihNEJYcxoWUgL82DsijKZF61:GvfVs5oEIUTE9ygAzijKZs

Score

10^/10

warzonerat collection discovery execution infostealer rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Purchase#Order630080.pdf.exe

Resource

win7-20240903-en

warzonerat collection discovery execution infostealer rat

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

Purchase#Order630080.pdf.exe

Resource

win10v2004-20241007-en

warzonerat collection discovery execution infostealer rat

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

185.29.8.102:3312

Targets

- Target
  
  Purchase#Order630080.pdf.exe
- Size
  
  870KB
- MD5
  
  76a9764d18535113e206f661a70764a3
- SHA1
  
  cbb20d9ad86fa8374553203efff7d6baadfaeaa7
- SHA256
  
  325be1d623422763b0e16bc3c294cc5c006f6fb2ff8ddbf9eb0e45f8d8ac6853
- SHA512
  
  4952c1cc85464b54bc55a1272a763e3a93c48cd3576f53e9212d746ab1dfffdf8925095526ff9b2c2039dd40d59162540a7c39d04eb1b83fb0cb99fa6185dcb0
- SSDEEP
  
  12288:GvfVhpeMc5IFhtCIUQvihNEJYcxoWUgL82DsijKZF61:GvfVs5oEIUTE9ygAzijKZs
Score

10^/10

warzonerat collection discovery execution infostealer rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzonerat family
  warzonerat
- Warzone RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratcollectiondiscoveryexecutioninfostealerrat

behavioral2

warzoneratcollectiondiscoveryexecutioninfostealerrat

© 2018-2024

Terms | Privacy