Extracted

• • Target

    doc121022.exe

  • Size

    1.1MB

  • MD5

    d7b9892dc61364b3afff20102449ff9d

  • SHA1

    bc6e515ea1fcf148ce5017da80111497588896ad

  • SHA256

    a7878b086974135c98dcfd18b0e131a88fb6138e26f3e04970ac8f2b4c98e550

  • SHA512

    7b104d239cd3b9897da0f7ee7f72905cd28395c492b07e8fe2b25e56830d7940dbc488255c4f4920e187580b0fbc3db6b94bb4afdaa91cdfb26ad221234d481b

  • SSDEEP

    24576:TAOcZzZeJqyaDsTz6tYja1iUC3lymRRG5V:1NtUYja1GV0n

  Score

  10^/10

  warzoneratcollectioninfostealerpersistencerat

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzone RAT payload

    rat

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2