General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.27730.24624.exe
-
Size
6KB
-
Sample
221214-np1mnshh47
-
MD5
16f9cf91a1ac3a6671af633e006b0800
-
SHA1
29c8e005c110dc1641da9c33e3806bbfbd8bdc48
-
SHA256
d8d80ddc56f35bf9c2fd12a13dafb73f1768b7f36ad4c1bc3436dbfbfb0a6d9d
-
SHA512
1fd1496816f7f90fd2201722977094337e60c498bd50421a387d9cbade519b5619889987566fc76c4f34c6ee8d0c3c95b8460c3692881a0323a8a875a9cf65e5
-
SSDEEP
96:pjk9hb83wwhEXr+BWhzPFQ9TBL+QWokY+E3dspSO2mC47DkIaBSsyzNt:pYj8gKEEAzi9lL3kY+ge4d47YRAs0
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.27730.24624.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.PWSX-gen.27730.24624.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
warzonerat
194.147.140.138:9922
Targets
-
-
Target
SecuriteInfo.com.Win32.PWSX-gen.27730.24624.exe
-
Size
6KB
-
MD5
16f9cf91a1ac3a6671af633e006b0800
-
SHA1
29c8e005c110dc1641da9c33e3806bbfbd8bdc48
-
SHA256
d8d80ddc56f35bf9c2fd12a13dafb73f1768b7f36ad4c1bc3436dbfbfb0a6d9d
-
SHA512
1fd1496816f7f90fd2201722977094337e60c498bd50421a387d9cbade519b5619889987566fc76c4f34c6ee8d0c3c95b8460c3692881a0323a8a875a9cf65e5
-
SSDEEP
96:pjk9hb83wwhEXr+BWhzPFQ9TBL+QWokY+E3dspSO2mC47DkIaBSsyzNt:pYj8gKEEAzi9lL3kY+ge4d47YRAs0
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-