General
-
Target
CHIVALRO.EXE
-
Size
223KB
-
Sample
221111-w54chahg73
-
MD5
425cf022932c7ace6542f18af4fbac2a
-
SHA1
7e162ccedf35afe7fbd723c7bf98096198c6ccdf
-
SHA256
b24ce8861d8d06d10d73e38c6fcc0c026a5c9529fda74927f85b4cfe022f7e1d
-
SHA512
5893207c0fe482347667236ac1027368a5633cf42483dd2a86034191c1e809725522a32a51ad406d706fd3255b4940732310ddc0d3841551ef3946c4277de777
-
SSDEEP
3072:Wgsmet6LIYizuFKaSbahlinQzDKsoMUNq4m+oJTlwuZgMYOzXqPDNZfDCpqKU:94t6LsYKtOQn8quxlzeMYOzXq5FZ1
Malware Config
Targets
-
-
Target
CHIVALRO.EXE
-
Size
223KB
-
MD5
425cf022932c7ace6542f18af4fbac2a
-
SHA1
7e162ccedf35afe7fbd723c7bf98096198c6ccdf
-
SHA256
b24ce8861d8d06d10d73e38c6fcc0c026a5c9529fda74927f85b4cfe022f7e1d
-
SHA512
5893207c0fe482347667236ac1027368a5633cf42483dd2a86034191c1e809725522a32a51ad406d706fd3255b4940732310ddc0d3841551ef3946c4277de777
-
SSDEEP
3072:Wgsmet6LIYizuFKaSbahlinQzDKsoMUNq4m+oJTlwuZgMYOzXqPDNZfDCpqKU:94t6LsYKtOQn8quxlzeMYOzXq5FZ1
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-