warzonerat | 2a55348b41e5bc666de29f92002b206768a7f6b134e3901e48abe2ae7b4b6b47 | Triage

Submit
Reports

Overview

overview

Static

static

3

RFQ 675766...53.scr

windows7-x64

RFQ 675766...53.scr

windows10-2004-x64

Sharing

General

Target

2a55348b41e5bc666de29f92002b206768a7f6b134e3901e48abe2ae7b4b6b47
Size

541KB
Sample

250109-k9velswjgt
MD5

9cefa5afea5fad4675ffb709cce44c0d
SHA1

d3710500885a0be57a73da69797b82cf8ee7f677
SHA256

2a55348b41e5bc666de29f92002b206768a7f6b134e3901e48abe2ae7b4b6b47
SHA512

642953cb966183556ac011c137d5f747adfadabbbb219b550e649d1de243988995c73cc82811b0baffdd73c381ff3381881a66e210136e366f4edc8e88e361b8
SSDEEP

12288:qgYAfBxqFSQkvPxKrygmnFYE0PO6kBInDKtS0NCjVM:rYAfBxCknxEJmFqGEgS0QhM

Score

10^/10

warzonerat defense_evasion discovery execution infostealer persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

RFQ 675766567456534534534534535434534564456453.scr

Resource

win7-20241023-en

warzonerat defense_evasion discovery execution infostealer persistence rat

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

RFQ 675766567456534534534534535434534564456453.scr

Resource

win10v2004-20241007-en

warzonerat defense_evasion discovery execution infostealer persistence rat

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

172.245.23.149:4020

Targets

- Target
  
  RFQ 675766567456534534534534535434534564456453.scr
- Size
  
  580KB
- MD5
  
  6772fb0a8d636027e91b8fa238c4ab3c
- SHA1
  
  1c1a0b57de7fa94ffadaaf91f846f5a8bea8f019
- SHA256
  
  247bc285f9b882ff9318ecc7049c4209d43187c0657988dcce7fe5f0a6067be7
- SHA512
  
  1ae632ec6c00852d2e9ee6953cc15905fab3599eff4340ac0902d99aa5fc0aeb7f21d1a8dc0ced672ee323e54dae374216f19d1f7475d857df04c2fdf94d319f
- SSDEEP
  
  12288:ShjS4JRwD94pRZASB9+VUEJxcWEak/+s6uQxNlJcbq:StSqR2ipRZDgeEJxP3hb
Score

10^/10

warzonerat defense_evasion discovery execution infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzonerat family
  warzonerat
- Warzone RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Server Software Component: Terminal Services DLL
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies WinLogon
  persistence
- Hide Artifacts: Hidden Users
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Server Software Component

Terminal Services DLL

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Users

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratdefense_evasiondiscoveryexecutioninfostealerpersistencerat

behavioral2

warzoneratdefense_evasiondiscoveryexecutioninfostealerpersistencerat

© 2018-2025

Terms | Privacy