warzonerat | 1cd52872ede6bcaa5f768ded0b10dc5e60d9abc3f174bbefc35bb88c6ca482a0 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

5

2bcb380772...3f.exe

windows7-x64

3

2bcb380772...3f.exe

windows10-2004-x64

2bcb380772...3f.exe

windows10-ltsc 2021-x64

Sharing

General

Target

2bcb38077232015d9973e3a398137405044967e19c50320705bfb36d5a41fe3f.zip
Size

670KB
Sample

250303-zpmatsynw2
MD5

3fbec9c6c749d430e7a46bd0999a28e9
SHA1

1cf26a3ac9372e05b34ecf0f05a5d9b093192f0c
SHA256

1cd52872ede6bcaa5f768ded0b10dc5e60d9abc3f174bbefc35bb88c6ca482a0
SHA512

ea6be9a4cc2e1b5fc8b9133ba36c3f89d0a157d8de786b84e83bb65e1c327b9f80d4ea067b3e122e88032dd1f7b5d32dc7e8d1d3a9d0413201e3c18d1878d49b
SSDEEP

12288:W/XufGUpIJ3p5N6Sa5wCj/0IlbIS/bATBY9/AS5yPixQ3uncCfIz033mr:YXiGhVF6X/AabPbH9dciO3ucCfI430

Score

10^/10

warzonerat discovery execution infostealer persistence rat

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

2bcb38077232015d9973e3a398137405044967e19c50320705bfb36d5a41fe3f.exe

Resource

win7-20241010-en

windows7-x64

5 signatures

600 seconds

Behavioral task

behavioral2

Sample

2bcb38077232015d9973e3a398137405044967e19c50320705bfb36d5a41fe3f.exe

Resource

win10v2004-20250217-en

warzonerat discovery execution infostealer persistence rat

windows10-2004-x64

15 signatures

600 seconds

Behavioral task

behavioral3

Sample

2bcb38077232015d9973e3a398137405044967e19c50320705bfb36d5a41fe3f.exe

Resource

win10ltsc2021-20250217-en

warzonerat discovery execution infostealer persistence rat

windows10-ltsc 2021-x64

15 signatures

600 seconds

Malware Config

Extracted

Family

warzonerat

C2

orangestar.hopto.org:6380

Targets

- Target
  
  2bcb38077232015d9973e3a398137405044967e19c50320705bfb36d5a41fe3f
- Size
  
  1.0MB
- MD5
  
  1afb828980cd3a0234cd51dec11ecc04
- SHA1
  
  46f06f7097333a9c9ff1404c8cbd1fa99f5675e4
- SHA256
  
  2bcb38077232015d9973e3a398137405044967e19c50320705bfb36d5a41fe3f
- SHA512
  
  e15add9602b727dfd2800a2e77bcff81305bac579249dda3d9f1991ae9bc6a977a3a8569a9d851f623eb8c45a58a3aafa6b4e67cde630379f6090d9181abc731
- SSDEEP
  
  12288:iCdOy3vVrKxR5CXbNjAOxK/j2n+4YG/6c1mFFja3mXgcjfRlgsUBgalI2I19TtY1:iCdxte/80jYLT3U1jfsWamB9P9RMAQ
Score

10^/10

discovery warzonerat execution infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzonerat family
  warzonerat
- Warzone RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Executes dropped EXE
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

warzoneratdiscoveryexecutioninfostealerpersistencerat

behavioral3

warzoneratdiscoveryexecutioninfostealerpersistencerat

© 2018-2025

Terms | Privacy