Extracted

• • Target

    RFQ 17253536373.exe

  • Size

    1015KB

  • MD5

    f8a2ad4544d211df3b2698e5cecaf2dc

  • SHA1

    b2045de3aaa3c49ebb35f25771d762cf70c5a3fa

  • SHA256

    4fe82d810dd80e56a8e2effdf825a9259a812bc9e14193f22193342bf5e66641

  • SHA512

    fb94796b343d75d98b512e9f2f35fa17a5b33d6a382ba6188671bc232649f0428d969e37d7a2b35a427dea14c697d9ba9e27c9395770412960b2be77ee987ffd

  • SSDEEP

    24576:XM+L74mBfNUstzoxdpt3hvMCggcrf8PAqyU9YH3r8JN:qnt3hrgde9YHI

  Score

  10^/10

  warzoneratinfostealerpersistencerat

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Executes dropped EXE

  • Sets DLL path for service in the registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Loads dropped DLL

  • Modifies WinLogon

    persistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2behavioral3