Extracted

• • Target

    New order.exe

  • Size

    1.1MB

  • MD5

    d02f4fcad5288156d4afae51c120648a

  • SHA1

    68c3f393f68bb4636c9e2f1a76e5d37259de620b

  • SHA256

    886442e876aac74a0339513e0b70e04a808b6ddd9d6ac0ad0eded4f0bd47d101

  • SHA512

    e22a8ddb83ed25a50c1f4b26d0549d6bb3ffa2fe6946193cbbbe614f940d21a1941102ebcffd0feacb5e398ca2b880c44a29385ec134976f12a4f92f3597732f

  • SSDEEP

    24576:nAOcZXZZuapPSa+i7G2ooCN96HDhOrTCRb60i3/BSERD5KH4kCkj:ZePSiG2eGOHG3y/BNR9KH4c

  Score

  10^/10

  warzoneratinfostealerpersistencerat

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzone RAT payload

    rat

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2