General
-
Target
RUS3109Y51.exe
-
Size
778KB
-
Sample
230315-ld6y7see2y
-
MD5
d94f93beb5e5cafbed05b68b50b89a01
-
SHA1
fb828f7fdf2aa5b83efef41754ba6c8b4a437b84
-
SHA256
adb09eb6718421aff9cfd0dd2188ceab7c52e4c1f33ff3b3e56d37e8b09aadd1
-
SHA512
3f2fc14d7004f29d88649ad885df8cca54a0d1c1cdf3e301ec32fc59c8f0c7cf66b9c8289fcd921f92bac157c3cc222f0e07d641a8cb889c005d854d44a92d12
-
SSDEEP
12288:giz2j8iJGRTwdfL6pvv0WC1R5LlLzrycVCBy0L/Y+M1eZ5qOP6bz8VoRHTpZI:ejRJTZ69pCf5xLzecVa/Y+lHhS3uup
Static task
static1
Behavioral task
behavioral1
Sample
RUS3109Y51.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
RUS3109Y51.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
warzonerat
74.201.28.114:3900
Targets
-
-
Target
RUS3109Y51.exe
-
Size
778KB
-
MD5
d94f93beb5e5cafbed05b68b50b89a01
-
SHA1
fb828f7fdf2aa5b83efef41754ba6c8b4a437b84
-
SHA256
adb09eb6718421aff9cfd0dd2188ceab7c52e4c1f33ff3b3e56d37e8b09aadd1
-
SHA512
3f2fc14d7004f29d88649ad885df8cca54a0d1c1cdf3e301ec32fc59c8f0c7cf66b9c8289fcd921f92bac157c3cc222f0e07d641a8cb889c005d854d44a92d12
-
SSDEEP
12288:giz2j8iJGRTwdfL6pvv0WC1R5LlLzrycVCBy0L/Y+M1eZ5qOP6bz8VoRHTpZI:ejRJTZ69pCf5xLzecVa/Y+lHhS3uup
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-