General
-
Target
QUOTATION_ APRL 310377FIBA00541_PDF.scr.exe
-
Size
1.8MB
-
Sample
230405-wslxpagf32
-
MD5
657ecefa96e9e2aad4975964339f6d88
-
SHA1
c041038ccc3ec0bb069c8200ca80f0b8345f8361
-
SHA256
73a4aa86764da7b0fc32b8112040098b1a691a83a0f5168afccbc34d184b50e5
-
SHA512
898c6f5120db52bcbfb8423f2e5083c129b486855248f9bc47b82dd14fa096297b4902d7d09e897fc3b3f55b8a53e3d15a629a41078be8d4c47bcefb2f893027
-
SSDEEP
24576:1xYG/b9jNHjWdBxhtvS77w4gl0HA4QE6HsIyoUZ8pdyC2cyft0jFFwSnDB6COT+N:o2qPtvq7wNl0pMQwdqvi/oQlw
Static task
static1
Behavioral task
behavioral1
Sample
QUOTATION_ APRL 310377FIBA00541_PDF.scr.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
QUOTATION_ APRL 310377FIBA00541_PDF.scr.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
warzonerat
152.89.160.131:47795
Targets
-
-
Target
QUOTATION_ APRL 310377FIBA00541_PDF.scr.exe
-
Size
1.8MB
-
MD5
657ecefa96e9e2aad4975964339f6d88
-
SHA1
c041038ccc3ec0bb069c8200ca80f0b8345f8361
-
SHA256
73a4aa86764da7b0fc32b8112040098b1a691a83a0f5168afccbc34d184b50e5
-
SHA512
898c6f5120db52bcbfb8423f2e5083c129b486855248f9bc47b82dd14fa096297b4902d7d09e897fc3b3f55b8a53e3d15a629a41078be8d4c47bcefb2f893027
-
SSDEEP
24576:1xYG/b9jNHjWdBxhtvS77w4gl0HA4QE6HsIyoUZ8pdyC2cyft0jFFwSnDB6COT+N:o2qPtvq7wNl0pMQwdqvi/oQlw
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-