General
-
Target
267e7f40468aa20e4c4741a562d1fd090cdb14be29cff3d3dc6f9c951cf1922f.zip
-
Size
193KB
-
Sample
230321-rv37jaba24
-
MD5
77e4da08b7ef5e7124ca46c1ab22b1e4
-
SHA1
0a6142bc9a54ded94a020ce4bb26863986eb3f7a
-
SHA256
465392d0ea7e46683e93277a0909b158d9b860c5c311c57a941a5bfae9b7c186
-
SHA512
3c0cb8a9aef01757199ca7e8b63509cdb0794e00605a12b64e68aaded28402469a0fa027dccb913090fffd43859a971fc8f39f7558b62eda79973c00c7180e35
-
SSDEEP
3072:opzRvJe8+y6t/nwGrHOb7aS7rUwW6LgKUmXyATGnkQj6tUfOXKlDQwNT5Mebs7K7:IJiy6JRga2A6LgEZCkQCulDIRuhdX
Static task
static1
Behavioral task
behavioral1
Sample
267e7f40468aa20e4c4741a562d1fd090cdb14be29cff3d3dc6f9c951cf1922f.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
267e7f40468aa20e4c4741a562d1fd090cdb14be29cff3d3dc6f9c951cf1922f.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
warzonerat
103.231.91.59:17873
Targets
-
-
Target
267e7f40468aa20e4c4741a562d1fd090cdb14be29cff3d3dc6f9c951cf1922f.exe
-
Size
474KB
-
MD5
4f675e8096f33c630b63e11ca67753a7
-
SHA1
8e525226e608dbd84f0c6bddf71f2e5ffb05645f
-
SHA256
267e7f40468aa20e4c4741a562d1fd090cdb14be29cff3d3dc6f9c951cf1922f
-
SHA512
59a6b5a2db27ac3876dcb629eb1e854dfbd99ae87c90c6f6eb0fe5dbb78eaa312909b58e482a9462b2fc9dd12083bd46c7e90b806b3f7e779a8d01264b59e810
-
SSDEEP
12288:RWcWnFt4sHQA793uk0FaKwR4KrjQD60+ayvsHC6rRl6Fklbddxppppppppppppp5:8rYD+wkfjQDHy6rFd
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-