General
-
Target
RFQ023018000171984CW289170-A & CW20145344323443-xslx.iso
-
Size
416KB
-
Sample
221001-ztjqhagfdl
-
MD5
945e6eae3156706c5483152ac3c14f8b
-
SHA1
3cbab96e5d25a07e67e8d6f86b553986828a6116
-
SHA256
68c72a9af569a7153e51d7bd7c99571232a7955967a07a910680865afbbb0afb
-
SHA512
d43f98ca05b8e7c4cd69e2ca971b33365abb2fc6a08bc8f3533fc2c3b41f12d07703045fdc1d607c878f8bb2cf6d5c4c4ab4e00c4cf1ddabef061498a8963c97
-
SSDEEP
3072:M/ies1pdcWyMCD5qfa0IJD59YR+umhBbHVrqAd8i9uBs71hEbaFSkjiRrP6Aq:MqLDTClqfa0IxzYR+5hBzAAugqFa+
Static task
static1
Behavioral task
behavioral1
Sample
RFQ023018000171984CW289170-A & CW20145344323443-xslx.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
RFQ023018000171984CW289170-A & CW20145344323443-xslx.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
warzonerat
81.161.229.75:5200
Targets
-
-
Target
RFQ023018000171984CW289170-A & CW20145344323443-xslx.exe
-
Size
355KB
-
MD5
e2fdeb0871673296aad75a0e2b26276d
-
SHA1
0a5e24e2270ca08b763348784dd3b76bd9620c8b
-
SHA256
089e22b0800e63398322f535240d8043b8d7e4a561245718ed5bf88fbb22e799
-
SHA512
20c61659d19e59aac8571e3f93429f01e4b82d523d7ae7e594063f3c2e923f30bf2b5b2c6ec956ad5d5411b0e2b0107e1e135fb355c6bbeffef67d3e3c7e93f9
-
SSDEEP
3072:4/ies1pdcWyMCD5qfa0IJD59YR+umhBbHVrqAd8i9uBs71hEbaFSkjiRrP6Aq:4qLDTClqfa0IxzYR+5hBzAAugqFa+
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets DLL path for service in the registry
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-