General
-
Target
RFQ - RM678890 RM66789.XLX.exe
-
Size
1.6MB
-
Sample
211125-tjhskabad9
-
MD5
08c72bf1f25b905f3eefd881a8cfaf95
-
SHA1
2fea140816601b3b5d02d8d18b860f1c88e099af
-
SHA256
7d2513132d07adf745141e5860b022afce543e2070a17d303833171d45f93e90
-
SHA512
94dde4a345393d10b59f1011c78df1143311090bb72388aa6bf61f34ac2346d606c6849096d38e9165a3091406474a3d1aa85a0ea21c548d3c771d8d0b74e841
Static task
static1
Behavioral task
behavioral1
Sample
RFQ - RM678890 RM66789.XLX.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
RFQ - RM678890 RM66789.XLX.exe
Resource
win10-en-20211014
Malware Config
Extracted
warzonerat
91.193.75.173:6667
Targets
-
-
Target
RFQ - RM678890 RM66789.XLX.exe
-
Size
1.6MB
-
MD5
08c72bf1f25b905f3eefd881a8cfaf95
-
SHA1
2fea140816601b3b5d02d8d18b860f1c88e099af
-
SHA256
7d2513132d07adf745141e5860b022afce543e2070a17d303833171d45f93e90
-
SHA512
94dde4a345393d10b59f1011c78df1143311090bb72388aa6bf61f34ac2346d606c6849096d38e9165a3091406474a3d1aa85a0ea21c548d3c771d8d0b74e841
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-