General
-
Target
267e7f40468aa20e4c4741a562d1fd090cdb14be29cff3d3dc6f9c951cf1922f.zip
-
Size
193KB
-
Sample
230321-qpljvsce6x
-
MD5
ae80524eb186a4470ef728b1060c2e01
-
SHA1
7071fe46c706d4962cd7b4fd8e25991f4f315160
-
SHA256
bfca651a0de33efa850d4e3e755aa2e5b1057ffa96edee14dbea1e57134aed4f
-
SHA512
399802aaf1d37953435bdea4dd5da58fcbdf28e3fd0f509b7c6072d1932ef6cbbe9328f54e96278c75f9c425e7ef0ce5905293c38528782fa8885ef470bc4a7e
-
SSDEEP
3072:wLWpK8BfCKi5/RsZDcfyf7/Q7Yvy0lM+F5nftV+4M1P1yfxtFRuK34:kEVNK5/T6j4svvMO5ftVhMNCbRVI
Static task
static1
Behavioral task
behavioral1
Sample
267e7f40468aa20e4c4741a562d1fd090cdb14be29cff3d3dc6f9c951cf1922f.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
267e7f40468aa20e4c4741a562d1fd090cdb14be29cff3d3dc6f9c951cf1922f.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
warzonerat
103.231.91.59:17873
Targets
-
-
Target
267e7f40468aa20e4c4741a562d1fd090cdb14be29cff3d3dc6f9c951cf1922f.exe
-
Size
474KB
-
MD5
4f675e8096f33c630b63e11ca67753a7
-
SHA1
8e525226e608dbd84f0c6bddf71f2e5ffb05645f
-
SHA256
267e7f40468aa20e4c4741a562d1fd090cdb14be29cff3d3dc6f9c951cf1922f
-
SHA512
59a6b5a2db27ac3876dcb629eb1e854dfbd99ae87c90c6f6eb0fe5dbb78eaa312909b58e482a9462b2fc9dd12083bd46c7e90b806b3f7e779a8d01264b59e810
-
SSDEEP
12288:RWcWnFt4sHQA793uk0FaKwR4KrjQD60+ayvsHC6rRl6Fklbddxppppppppppppp5:8rYD+wkfjQDHy6rFd
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-