Extracted

• • Target

    Payment Swift.exe

  • Size

    611KB

  • MD5

    62ee0d3aebacdbfeaa1b31781398b22c

  • SHA1

    28ea8142385b4c64f8157299d3d44d00244c2e6a

  • SHA256

    61d43a20936f0a0ed8a535e4eb21535009b271f91e62200b29c92dc46d731c64

  • SHA512

    24945a0e303d5ae9854271a93440dbf042e20f45f42d70bb29fd58064ce4f2b66cdc87fa0d2b3440154d74e0fdb3ba6e36c8c89592fade051b07a9a1f967fd47

  Score

  10^/10

  warzoneratinfostealerratcollectionevasionpersistencespywarestealerupx

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzone RAT payload

    rat

  • Executes dropped EXE

  • Modifies Windows Firewall

    evasion

  • Sets DLL path for service in the registry

    persistence

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Modifies WinLogon

    persistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2