warzonerat | 730419e98bfe7df620914152b813c784f9c3645794aa19e6160dd258f8422025 | Triage

Submit
Reports

Overview

overview

Static

static

3

DOC7790.exe

windows7-x64

DOC7790.exe

windows10-2004-x64

Sharing

General

Target

1afbf93739476cf388297983f1c4f32a_JaffaCakes118
Size

1.7MB
Sample

240701-mrb7eswhqe
MD5

1afbf93739476cf388297983f1c4f32a
SHA1

133f3ad67f07793e2a8dda6fc200b59e20b9cddf
SHA256

730419e98bfe7df620914152b813c784f9c3645794aa19e6160dd258f8422025
SHA512

45a75fe2f1e912c897ee779bd4c327799ec5311d15654e78110bc6b5fb9622d69bcb9ead98e2a444a3160d7a7a0e8e7696156cb099ecaa6f2abddd2df1db0441
SSDEEP

6144:txd05BAl92z8P2GhNRavMIuLAhwQI9To0TM4pONBMbvoyA4KhD3Njzx6D:tx+c5P2iNS9ZPysBMcz3Nj

Score

10^/10

warzonerat execution infostealer rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

DOC7790.exe

Resource

win7-20231129-en

warzonerat execution infostealer rat trojan

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

DOC7790.exe

Resource

win10v2004-20240611-en

warzonerat execution infostealer rat trojan

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

warzonerat

C2

212.192.241.54:5200

Targets

- Target
  
  DOC7790.exe
- Size
  
  1.1MB
- MD5
  
  650343549a8f3d22f8dd073c806daca8
- SHA1
  
  a51f94d650b75451ac9fd58599c9b5839f415218
- SHA256
  
  a8a5bfc62922bd09677deb20fe7d4c18a9098bdbc29322c7629d368d9f261a6d
- SHA512
  
  ab28a2e7b561c30e0d5f1c8f1d2917faa0938a640ec63b8475312fc7e624e857fd66b0e2d9d949ae4e9f3e492b8572b6a2dbf20efcd5b06248eb2b242c460110
- SSDEEP
  
  6144:exd05BAl92z8P2GhNRavMIuLAhwQI9To0TM4pONBMbvoyA4KhD3Njzx6D:ex+c5P2iNS9ZPysBMcz3Nj
Score

10^/10

warzonerat execution infostealer rat trojan
- Detects BazaLoader malware
  BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
  trojan
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

warzoneratexecutioninfostealerrattrojan

behavioral2

warzoneratexecutioninfostealerrattrojan

© 2018-2024

Terms | Privacy