warzonerat | 495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f | Triage

Submit
Reports

Overview

overview

Static

static

3

495607b1ae...3f.exe

windows7-x64

495607b1ae...3f.exe

windows10-2004-x64

Sharing

General

Target

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
Size

845KB
Sample

250113-ghlrls1ncq
MD5

eff0087d8b3c6bc011c06d38838458e7
SHA1

cd4ff1fc19792b0f8b8c4ce9adfcfca6e386e6a2
SHA256

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
SHA512

8819dac67e7f348e19fa0f516019266d6e42bfcc615bafd996a05efb89244e6b1a0eaab319fd31222c4112b9cefde4b6c4cc3456b5bd319a773c2e3d123aec24
SSDEEP

12288:2nmIWkfNeH++znVXoW87FqKqi13U3mWxw7DG0mCuT7Yeg4firr:2mFkfY+WnVX18BqBAU3e5mnn3

Score

10^/10

warzonerat discovery execution infostealer rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f.exe

Resource

win7-20241010-en

warzonerat discovery execution infostealer rat

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f.exe

Resource

win10v2004-20241007-en

warzonerat discovery execution infostealer rat

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

panchak.duckdns.org:5050

Targets

- Target
  
  495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
- Size
  
  845KB
- MD5
  
  eff0087d8b3c6bc011c06d38838458e7
- SHA1
  
  cd4ff1fc19792b0f8b8c4ce9adfcfca6e386e6a2
- SHA256
  
  495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
- SHA512
  
  8819dac67e7f348e19fa0f516019266d6e42bfcc615bafd996a05efb89244e6b1a0eaab319fd31222c4112b9cefde4b6c4cc3456b5bd319a773c2e3d123aec24
- SSDEEP
  
  12288:2nmIWkfNeH++znVXoW87FqKqi13U3mWxw7DG0mCuT7Yeg4firr:2mFkfY+WnVX18BqBAU3e5mnn3
Score

10^/10

warzonerat discovery execution infostealer rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzonerat family
  warzonerat
- Warzone RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

warzoneratdiscoveryexecutioninfostealerrat

behavioral2

warzoneratdiscoveryexecutioninfostealerrat

© 2018-2025

Terms | Privacy