General
-
Target
RFQ.exe
-
Size
355KB
-
Sample
230329-kl1xgsfe62
-
MD5
f734c6433f83441b57db89f3c37b21e8
-
SHA1
d5f26eb382cd9ad2a220a35b2eadfed2b49007f0
-
SHA256
c353f375242393a8bc42afcfa590ce13ddf30a4b2b881e47ddf9fa621a677ac0
-
SHA512
d5f464bebab1f08d6ea1a792fccc0f02b00aa8a49c73755128e2eccec3b5e95a9339027e63d5f0b8f98d404dc4e2b8376970e9ea324ef2076e0a78a2f8c6ac1e
-
SSDEEP
6144:l69Syfirb6DYPrRPANmynocmBWwGorbGLAsND8k6PNofp8aAPwX3MmI:lrGquDYD2Nmyn5mHGorbGLAsQiOaAInv
Static task
static1
Behavioral task
behavioral1
Sample
RFQ.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
RFQ.exe
Resource
win10v2004-20230221-en
Malware Config
Extracted
warzonerat
185.29.9.20:5200
Targets
-
-
Target
RFQ.exe
-
Size
355KB
-
MD5
f734c6433f83441b57db89f3c37b21e8
-
SHA1
d5f26eb382cd9ad2a220a35b2eadfed2b49007f0
-
SHA256
c353f375242393a8bc42afcfa590ce13ddf30a4b2b881e47ddf9fa621a677ac0
-
SHA512
d5f464bebab1f08d6ea1a792fccc0f02b00aa8a49c73755128e2eccec3b5e95a9339027e63d5f0b8f98d404dc4e2b8376970e9ea324ef2076e0a78a2f8c6ac1e
-
SSDEEP
6144:l69Syfirb6DYPrRPANmynocmBWwGorbGLAsND8k6PNofp8aAPwX3MmI:lrGquDYD2Nmyn5mHGorbGLAsQiOaAInv
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-