General
-
Target
1eb697dff13eb912b3b788b3a7fc68fe90649e1b9fd668c00a4e5adc3d50e072
-
Size
378KB
-
Sample
220520-2mnf8affa8
-
MD5
b4a99e69f87a750af2af2bbf9b530cbf
-
SHA1
6d8cec0c911d5fb890a65b02d60ace83a6310dea
-
SHA256
1eb697dff13eb912b3b788b3a7fc68fe90649e1b9fd668c00a4e5adc3d50e072
-
SHA512
bef4bc505e768a3a864b0451adc030645835673e7f4351ac1ab45b32e60f44bbdfb70e06f38bb5513e617ceef6ac44039fb62b0e3192527e1dfa37af08e320ca
Malware Config
Extracted
warzonerat
194.5.98.158:4570
Targets
-
-
Target
PO-84542.exe
-
Size
469KB
-
MD5
20eee2daca26b592dd74fc3e2c6c843d
-
SHA1
bd8ae32c6db7c683712779cf692ad576cbc697df
-
SHA256
147fd6db099fd3dc5df37edc08622878edd4b048e858e8c002db3f3511d922a6
-
SHA512
dc2e222e1f6e1c1b5656462681c1c1527cd3d2a2be092ffdd8185505cd643926296afdbb4d31c78318b5219c37bf17611e591f2c6d9ee1568c50c29c8f0876cd
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Looks for VirtualBox Guest Additions in registry
-
Warzone RAT Payload
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-