Extracted

• • Target

    f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3

  • Size

    468KB

  • MD5

    606529b46b36d5989d93440d0f9e85cf

  • SHA1

    9dd95827086393300df86e724644038d014f7473

  • SHA256

    f2d7458e107f2ff3afadf2aab5616a260299bd40c55753cc6ae3234ebd9f5ac3

  • SHA512

    b97d2d3f46e769a33c2d05b5bd46e4cda845c3450d2f123fd9a4486e56b593ea79507d2d08f2add6f0449a677cd9d7bd3127f984c425e081cb7378b94ded2292

  Score

  10^/10

  netwirewarzoneratbotnetinfostealerpersistenceratstealer

  • NetWire RAT payload

    rat

  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzone RAT payload

    rat

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2