General
-
Target
fmwrz.exe
-
Size
218KB
-
Sample
230329-j7c7waha9t
-
MD5
a3a47448f45b0374c3cde59e1a7bfb0d
-
SHA1
e00b404f1a143c99e1cf095ef27678022539be43
-
SHA256
9b1cd01f7d8e52a581fa6d6b2fd0dbb61361c3e6bda603f0f5fded0f938ada10
-
SHA512
cc70d6c4829a13a7b5819c6924d0309beb083131c59d8cb3e81f13b1bc38d02413f48447064b7f5948bdb2d162c450863c9bc0c47f51735375264d31bbc48dd4
-
SSDEEP
3072:4fY/TU9fE9PEtuJbfgN0XwaZlq5cSeZCV8Pt7oih6Qrpu+hmzFmr7J0Fjp+VDf84:uYa6XfnXwuI5KCVAxCQFZsFImp+DfG6
Static task
static1
Behavioral task
behavioral1
Sample
fmwrz.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
fmwrz.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
warzonerat
top.not2beabused01.xyz:1668
Targets
-
-
Target
fmwrz.exe
-
Size
218KB
-
MD5
a3a47448f45b0374c3cde59e1a7bfb0d
-
SHA1
e00b404f1a143c99e1cf095ef27678022539be43
-
SHA256
9b1cd01f7d8e52a581fa6d6b2fd0dbb61361c3e6bda603f0f5fded0f938ada10
-
SHA512
cc70d6c4829a13a7b5819c6924d0309beb083131c59d8cb3e81f13b1bc38d02413f48447064b7f5948bdb2d162c450863c9bc0c47f51735375264d31bbc48dd4
-
SSDEEP
3072:4fY/TU9fE9PEtuJbfgN0XwaZlq5cSeZCV8Pt7oih6Qrpu+hmzFmr7J0Fjp+VDf84:uYa6XfnXwuI5KCVAxCQFZsFImp+DfG6
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-