General
-
Target
QUOTATION_ APRL 310377FIBA00541.xz
-
Size
1.0MB
-
Sample
230405-xj7cpsgh65
-
MD5
40c1c7cc552d4ac05aefcee9cc37b0ce
-
SHA1
d16b3e93c6772c8e487763401481e975d684fc98
-
SHA256
0e3e551f81d8d908b962ee77ab0ba388b98997b59559a760473defbc33bdfa13
-
SHA512
14fc8e13bc40bc8efee9a86e1c516d42bd429aea9788722ae9afce75d404cb7f43604dd08551c170e446ec7e1a39c84290d7f357565f2e065ff6320e2446ef42
-
SSDEEP
24576:PwtMqjAv7glzFZxQWtXP+lwyYNQj6XaaK+vf:YMAAvIdZGlwh9N
Static task
static1
Behavioral task
behavioral1
Sample
QUOTATION_ APRL 310377FIBA00541_PDF.scr
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
QUOTATION_ APRL 310377FIBA00541_PDF.scr
Resource
win10v2004-20230220-en
Malware Config
Extracted
warzonerat
152.89.160.131:47795
Targets
-
-
Target
QUOTATION_ APRL 310377FIBA00541_PDF.scr
-
Size
1.8MB
-
MD5
657ecefa96e9e2aad4975964339f6d88
-
SHA1
c041038ccc3ec0bb069c8200ca80f0b8345f8361
-
SHA256
73a4aa86764da7b0fc32b8112040098b1a691a83a0f5168afccbc34d184b50e5
-
SHA512
898c6f5120db52bcbfb8423f2e5083c129b486855248f9bc47b82dd14fa096297b4902d7d09e897fc3b3f55b8a53e3d15a629a41078be8d4c47bcefb2f893027
-
SSDEEP
24576:1xYG/b9jNHjWdBxhtvS77w4gl0HA4QE6HsIyoUZ8pdyC2cyft0jFFwSnDB6COT+N:o2qPtvq7wNl0pMQwdqvi/oQlw
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-