General
-
Target
RFQ_1.gz
-
Size
278KB
-
Sample
230329-n8lymahg7t
-
MD5
d0c5de55d3a2a9fcb906332a87bfe116
-
SHA1
5e57c371120578c3f56b3af577303599366755e1
-
SHA256
146977737942949e94e8757a25e8e2a96bd96c5454b2a5aab52771920dd015bc
-
SHA512
8fc39e836309b409d5715352255bd394fd50a97fb62e022782b898232168a6b89a8904a8baee9a5b471f405869243f259e1c14ef4f5d74537ad6f12eadde58d0
-
SSDEEP
6144:IS1Mo+SlD/6hCPtRPcNmyLoGmHWqGorbGBAsNDUk6PNomzwT93CmEN:FKtGDyc1mNmyLBmFGorbGBAskvETdCmu
Static task
static1
Behavioral task
behavioral1
Sample
RFQ.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
RFQ.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
warzonerat
185.29.9.20:5200
Targets
-
-
Target
RFQ.exe
-
Size
355KB
-
MD5
f734c6433f83441b57db89f3c37b21e8
-
SHA1
d5f26eb382cd9ad2a220a35b2eadfed2b49007f0
-
SHA256
c353f375242393a8bc42afcfa590ce13ddf30a4b2b881e47ddf9fa621a677ac0
-
SHA512
d5f464bebab1f08d6ea1a792fccc0f02b00aa8a49c73755128e2eccec3b5e95a9339027e63d5f0b8f98d404dc4e2b8376970e9ea324ef2076e0a78a2f8c6ac1e
-
SSDEEP
6144:l69Syfirb6DYPrRPANmynocmBWwGorbGLAsND8k6PNofp8aAPwX3MmI:lrGquDYD2Nmyn5mHGorbGLAsQiOaAInv
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Sets DLL path for service in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Modifies WinLogon
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-