General
-
Target
861aca269e985c7a5e9c42ac5f7e44bad6ee137fd383b3cf2887944439c3c7f5
-
Size
1.3MB
-
Sample
220217-aa5fesefd7
-
MD5
2f71bea00db787a5e955a7d811053494
-
SHA1
6d2b26ed5cdae4346e5c00a3d0adee7eff4a29b9
-
SHA256
861aca269e985c7a5e9c42ac5f7e44bad6ee137fd383b3cf2887944439c3c7f5
-
SHA512
04bc743c109f8cfd9e07027046c787233a3fd130b1fb45a762e4a6c492aa74318425fa45c03d83a82c4c1d88e44a4460f85616aedefb73ffeac0d571ecf11e6e
Behavioral task
behavioral1
Sample
861aca269e985c7a5e9c42ac5f7e44bad6ee137fd383b3cf2887944439c3c7f5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
861aca269e985c7a5e9c42ac5f7e44bad6ee137fd383b3cf2887944439c3c7f5.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
warzonerat
wealth.warzonedns.com:5202
Targets
-
-
Target
861aca269e985c7a5e9c42ac5f7e44bad6ee137fd383b3cf2887944439c3c7f5
-
Size
1.3MB
-
MD5
2f71bea00db787a5e955a7d811053494
-
SHA1
6d2b26ed5cdae4346e5c00a3d0adee7eff4a29b9
-
SHA256
861aca269e985c7a5e9c42ac5f7e44bad6ee137fd383b3cf2887944439c3c7f5
-
SHA512
04bc743c109f8cfd9e07027046c787233a3fd130b1fb45a762e4a6c492aa74318425fa45c03d83a82c4c1d88e44a4460f85616aedefb73ffeac0d571ecf11e6e
Score10/10-
NetWire RAT payload
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-
autoit_exe
AutoIT scripts compiled to PE executables.
-