General
-
Target
3aa2886c013523d0b5ec9bfd6b60490f8aba681d2259236027177da8a426da8d.exe
-
Size
2.3MB
-
Sample
230405-m5e58sde64
-
MD5
321cfdb13c511498a5a15860456d065c
-
SHA1
0c2f14f98edb7c7eb2e895074008dd3b7b557ea6
-
SHA256
3aa2886c013523d0b5ec9bfd6b60490f8aba681d2259236027177da8a426da8d
-
SHA512
e655a7090d0d1db94cae4c1eab625c14b1888ec7ca1dc0bff63826dcd94d433fd6d6c3d9f0f15f8ec4c20e83f224762b358e226f86d06c2cb1f61c361d47de98
-
SSDEEP
49152:SfJByAPKeo0LEeAb9PQeiKRCvbRbPHyIX7:SRLX
Static task
static1
Behavioral task
behavioral1
Sample
3aa2886c013523d0b5ec9bfd6b60490f8aba681d2259236027177da8a426da8d.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
3aa2886c013523d0b5ec9bfd6b60490f8aba681d2259236027177da8a426da8d.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
warzonerat
5.2.68.82:1198
Targets
-
-
Target
3aa2886c013523d0b5ec9bfd6b60490f8aba681d2259236027177da8a426da8d.exe
-
Size
2.3MB
-
MD5
321cfdb13c511498a5a15860456d065c
-
SHA1
0c2f14f98edb7c7eb2e895074008dd3b7b557ea6
-
SHA256
3aa2886c013523d0b5ec9bfd6b60490f8aba681d2259236027177da8a426da8d
-
SHA512
e655a7090d0d1db94cae4c1eab625c14b1888ec7ca1dc0bff63826dcd94d433fd6d6c3d9f0f15f8ec4c20e83f224762b358e226f86d06c2cb1f61c361d47de98
-
SSDEEP
49152:SfJByAPKeo0LEeAb9PQeiKRCvbRbPHyIX7:SRLX
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-