General
-
Target
pdf.exe
-
Size
1016KB
-
Sample
210112-rf9srwz8gn
-
MD5
10b0b1473ceb303ef6b03214fbc76919
-
SHA1
4178d9f4bee32035f30e888e38565290c2919d68
-
SHA256
6764633b19998476bdf7ced0b5197a292c545a9e8068b44b40afd720bbbb62d9
-
SHA512
2f8df799d3d9b022d6a0fbc20259ad3905b7800fcd54516f76d8de9261f509cc864f4c7347edfaf7a22fc83082613e63a1a9f74918c421a313bdf64e5bf20592
Static task
static1
Behavioral task
behavioral1
Sample
pdf.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
pdf.exe
Resource
win10v20201028
Malware Config
Extracted
warzonerat
ofenja.zapto.org:5200
Targets
-
-
Target
pdf.exe
-
Size
1016KB
-
MD5
10b0b1473ceb303ef6b03214fbc76919
-
SHA1
4178d9f4bee32035f30e888e38565290c2919d68
-
SHA256
6764633b19998476bdf7ced0b5197a292c545a9e8068b44b40afd720bbbb62d9
-
SHA512
2f8df799d3d9b022d6a0fbc20259ad3905b7800fcd54516f76d8de9261f509cc864f4c7347edfaf7a22fc83082613e63a1a9f74918c421a313bdf64e5bf20592
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-