Extracted

• • Target

    Uj bejelentkezEsi adatai·pdf.exe

  • Size

    864KB

  • MD5

    bb5eef6ab8be4b744a9d31e3e07f639a

  • SHA1

    f39a49aad31cc0188f985d789deefaa74329b993

  • SHA256

    21d09c77de01cc95209727752e866221ad3b66d5233ab52cfe5249a3867ef8d8

  • SHA512

    297fe7d56d770df96719e00bcb63294503c07507edd5ddafdec7f4f7866e6b41f93ab786575a899411b8633bbaee17f5f7c4efed175e2794ba05a8392e3b9445

  • SSDEEP

    6144:jswxmS3Prp/fcCNjhIJqUAhsbgDQ6qs3PrVeFJIeUSZkyuWGsQJjOE5De9jCCjL1:VxZPtZIEtcV0edmTZskDuVZQY

  Score

  10^/10

  warzoneratevasioninfostealerpersistencerat

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Warzone RAT payload

    rat

  • Executes dropped EXE

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2