warzonerat | 495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f

Resubmissions

13-01-2025 05:31

250113-f71rdsxrdt 10

12-01-2025 19:17

250112-xzjlksxqbn 10

Sharing

Copy URL

Twitter E-mail

General

Target

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
Size

845KB
Sample

250113-f71rdsxrdt
MD5

eff0087d8b3c6bc011c06d38838458e7
SHA1

cd4ff1fc19792b0f8b8c4ce9adfcfca6e386e6a2
SHA256

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
SHA512

8819dac67e7f348e19fa0f516019266d6e42bfcc615bafd996a05efb89244e6b1a0eaab319fd31222c4112b9cefde4b6c4cc3456b5bd319a773c2e3d123aec24
SSDEEP

12288:2nmIWkfNeH++znVXoW87FqKqi13U3mWxw7DG0mCuT7Yeg4firr:2mFkfY+WnVX18BqBAU3e5mnn3

Score

10^/10

Malware Config

Extracted

Family

warzonerat

panchak.duckdns.org:5050

Targets

- Target
  
  495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
- Size
  
  845KB
- MD5
  
  eff0087d8b3c6bc011c06d38838458e7
- SHA1
  
  cd4ff1fc19792b0f8b8c4ce9adfcfca6e386e6a2
- SHA256
  
  495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
- SHA512
  
  8819dac67e7f348e19fa0f516019266d6e42bfcc615bafd996a05efb89244e6b1a0eaab319fd31222c4112b9cefde4b6c4cc3456b5bd319a773c2e3d123aec24
- SSDEEP
  
  12288:2nmIWkfNeH++znVXoW87FqKqi13U3mWxw7DG0mCuT7Yeg4firr:2mFkfY+WnVX18BqBAU3e5mnn3
Score

10^/10

warzonerat discovery execution infostealer rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzonerat family
  warzonerat
- Warzone RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral10 behavioral2 behavioral3 behavioral4 behavioral5 behavioral6 behavioral7 behavioral8 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

WarzoneRat, AveMaria

Warzonerat family

Warzone RAT payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10