warzonerat | 6436cc9f798618dcce8d46276d2bf95cfe2f3ec72d12cad218c6e7faa691d121

General

Target

Névtelen melléklet (00009).zip
Size

537KB
Sample

221114-y3nkdadd58
MD5

dfe452c0e157bcd6d64fb15db5a044e4
SHA1

4704a79690bebc127912e2c9ee8497ca180dd215
SHA256

6436cc9f798618dcce8d46276d2bf95cfe2f3ec72d12cad218c6e7faa691d121
SHA512

786d0479c10e64bde98934ee4f71634f8c51a09178eb0c602292e238055c96ec4005edfccd5ce0cf98dbf32faa5269754d92b76f66b6dc17ddca7ac35a6bd56f
SSDEEP

12288:zGyR3TpkYC3XzcWpHnWBxHa5tdcQ4oJUL:zGyR3Y2AfUL

Score

10^/10

Malware Config

Targets

- Target
  
  46679_10774_USD·pdf.iso
- Size
  
  798KB
- MD5
  
  92110fb5c1b9ad621fc1842d848a98cc
- SHA1
  
  9a91d893c9e7066bea386b9b21a341a7f46dfb71
- SHA256
  
  c5c5d41bb7a9d9f3e36ba5c4336bc8ebb551eb3687da7e7c30a2ec8cb1c35af3
- SHA512
  
  e1390118fe9c53892b65d7aaaae595ba2f9cbf48bf30b4628602068262a22e718dbfb9f968c101afcaeea7b81c563a1c1ccca2b847287eb5fee76ba4a50d3a81
- SSDEEP
  
  12288:8JHNGwC7XzWWpH9WBjH+5ZdyQ43z9hxJU2B:KQi0gk2B
Score

3^/10
behavioral1 behavioral2
- Target
  
  46679_10774_USD·pdf.exe
- Size
  
  738KB
- MD5
  
  85eeda19da6f588695a43e0be0cab817
- SHA1
  
  006f2135a8cd9962c7f351592f0a632167690787
- SHA256
  
  97fadafd1711faa312709206b3363fc2a56b63ef31ef1319902efe672e30396e
- SHA512
  
  1bfe7c96814e90c1b6879bce16e98b0f96989d4257179f8c5c95b326ffdeecd7dfbd6d87209cd7832bb97dbb90d94ea6b897bcef84b12870ec122626737caa15
- SSDEEP
  
  12288:3JHNGwC7XzWWpH9WBjH+5ZdyQ43z9hxJU2B:1Qi0gk2B
Score

10^/10

evasion warzonerat collection infostealer rat spyware stealer
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Warzone RAT payload
  rat
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral3 behavioral4