General
-
Target
8757c5b86ad6d98c723473fd79bae3349b3c308da3ba8cf7c0fa8696e3d69d3a
-
Size
143KB
-
Sample
220521-b1sd8afhcm
-
MD5
fbe29d660cb9c98b7844b7510565cedc
-
SHA1
e40aa11a8e098a84b982e436b34158955fc60943
-
SHA256
8757c5b86ad6d98c723473fd79bae3349b3c308da3ba8cf7c0fa8696e3d69d3a
-
SHA512
9c83428b740a22e64029db0c5bb032927c239ca426ec5f7a2a1440f37b9ef3892d263b2c8eac91e3c1234d52cf3f6dd5044e1d65cca073030fc3ca324dc4c787
Static task
static1
Behavioral task
behavioral1
Sample
Quotation-937847836-178474.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Quotation-937847836-178474.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
warzonerat
newzone.from-ne.com:3200
Targets
-
-
Target
Quotation-937847836-178474.exe
-
Size
188KB
-
MD5
bbc4ffcf3ffdd24fda14f1d234966e33
-
SHA1
9d4d3b412493806601fa61492d0b58f06bce3ee1
-
SHA256
4a1f7dc3d33366c303e8fb2c7c44d4929d5898f219bcf952bafba336b8056e91
-
SHA512
f1e33bee03ddaaee6682b351a522ea3a8759b324a1aefeb885ae5407d78b18053f21336d247cb1b9ddbb7c0d2b00c85c44165c04b47191650812913850d46f3b
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Looks for VirtualBox Guest Additions in registry
-
Warzone RAT Payload
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-