General
-
Target
Q_007880.gz
-
Size
415KB
-
Sample
210716-g4rydqmads
-
MD5
da7da6d9acf86c6b2dce58868ed6953f
-
SHA1
cfe83eec2327461ead403b285ba1ba8022a49aa8
-
SHA256
2b2d0b2d3441d43e9bfc469ea4f3f237c65407defbb5ce8c18e8d9e01cb3f68e
-
SHA512
a8289a6a704aeedd094a2ab53ad57b3bae8415672e40d99932d196ed968a31842812bcf87f1a0a4806fc61b49621a84496c7fe47fc9ebdf76a0366583d34a637
Static task
static1
Behavioral task
behavioral1
Sample
Q_007880.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Q_007880.exe
Resource
win10v20210408
Malware Config
Extracted
warzonerat
194.5.97.168:3640
Targets
-
-
Target
Q_007880.exe
-
Size
840KB
-
MD5
29d9976d73aabf191eafe0f8b045cc85
-
SHA1
8332c39e496873afdc4fd89210e293204b085a63
-
SHA256
dcf103b03ea1c41a8b40f788b2920177f0d39f27af47452b6a1b2c9fc345dd6a
-
SHA512
3ff3b6bb06a8c0bfd2793460e197ab45559f6176998006d711ada313bc27a16f16ee873692640b6283b77cd6ae75a8f72479780705fbe5a02a03f5a275f40002
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload
-
Sets DLL path for service in the registry
-
Drops startup file
-
Loads dropped DLL
-
Modifies WinLogon
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-