warzonerat | b4f5de44a5baff70cc3554c1963e2126d68b80fe703833b1a84629d1b003670e | Triage

Submit
Reports

Overview

overview

Static

static

1

bf2897f4d98b84ca.png

windows7-x64

6

bf2897f4d98b84ca.png

windows10-2004-x64

Sharing

General

Target

bf2897f4d98b84ca.png
Size

1KB
Sample

250128-a93e4s1nhv
MD5

0226fff44d4c6525b16a81754ae3e38e
SHA1

4978a0c3b095b7543b4c329b545518dccdc6c9df
SHA256

b4f5de44a5baff70cc3554c1963e2126d68b80fe703833b1a84629d1b003670e
SHA512

fa9ef790307999534e22697d9eb81be3dba64f0c5e244e94943b1c8ecd67934c854bac6d7244a9f11dbb269186970e178050f124e150a4b942f3f61c4a036732

Score

10^/10

warzonerat aspackv2 discovery execution infostealer rat rezer0

Static task

static1

Behavioral task

behavioral1

Sample

bf2897f4d98b84ca.png

Resource

win7-20240903-en

windows7-x64

12 signatures

900 seconds

Behavioral task

behavioral2

Sample

bf2897f4d98b84ca.png

Resource

win10v2004-20241007-en

warzonerat aspackv2 discovery execution infostealer rat rezer0

windows10-2004-x64

29 signatures

900 seconds

Malware Config

Extracted

Family

warzonerat

C2

168.61.222.215:5400

Targets

- Target
  
  bf2897f4d98b84ca.png
- Size
  
  1KB
- MD5
  
  0226fff44d4c6525b16a81754ae3e38e
- SHA1
  
  4978a0c3b095b7543b4c329b545518dccdc6c9df
- SHA256
  
  b4f5de44a5baff70cc3554c1963e2126d68b80fe703833b1a84629d1b003670e
- SHA512
  
  fa9ef790307999534e22697d9eb81be3dba64f0c5e244e94943b1c8ecd67934c854bac6d7244a9f11dbb269186970e178050f124e150a4b942f3f61c4a036732
Score

10^/10

discovery warzonerat aspackv2 execution infostealer rat rezer0
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzonerat family
  warzonerat
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Warzone RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Downloads MZ/PE file
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

warzonerataspackv2discoveryexecutioninfostealerratrezer0

© 2018-2025

Terms | Privacy