Extracted

• • Target

    Request For RFQ-Quote - Purchase order-#04973579329.exe

  • Size

    332KB

  • MD5

    2fa872c29baefef24bd046b7813a049d

  • SHA1

    a1222c09bde48a4949a66df1b10d96eacbc83a37

  • SHA256

    c10a9477615e2070cd7bdfb136a14837607a48538a6301473809ed8cd83fd7c8

  • SHA512

    377a7b74d1e7dcb59cd571c6bd3ed24ee654215d719d20a96fb61a32c27e967f042b9a3b149100c87872dc0ae8923b3d4ebdb11418207ce8153daf1f9daf4ba1

  • SSDEEP

    6144:NfimM71dJOEqCEINXeHCm2WRMCVdKrLPefCoJ8L77:gx32IReT2WRMCi/xh7

  Score

  10^/10

  warzoneratevasioninfostealerratupxcollectionpersistence

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzone RAT payload

    rat

  • Executes dropped EXE

  • Modifies Windows Firewall

    evasion

  • Sets DLL path for service in the registry

    persistence

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Drops startup file

  • Loads dropped DLL

  • Accesses Microsoft Outlook profiles

    collection

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2