General
-
Target
aaa75ef6b31883aada3cbe14a3b000be.bin
-
Size
475KB
-
Sample
230406-b9gdbacg4z
-
MD5
75b85b154a0706717776c904db4b63c5
-
SHA1
1653bf78ce81ab68ae8f61ac9184d0e8610a4db5
-
SHA256
04238e3f267b2e1c7b6393bc3f21eaee2374d77a81c096c475339732772d1259
-
SHA512
1566a6810e3d18316152b1cd241e582480c17625450feae8cddf0aa13984630c3e8e770ae8c2a4ee2a0648348d0b3c1258cf3e316fb75a8b2d28d65f3788396c
-
SSDEEP
12288:r0LaDoBQNeRAZ0zyWlpz2gSpl3Bb/5WRVwi3:cFY+AZ07Dz2geJoRVD3
Static task
static1
Behavioral task
behavioral1
Sample
4ec081f16baabe564b1038b86fe09f8b6fb3ef70a83abb23141e423fb36a42ec.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
4ec081f16baabe564b1038b86fe09f8b6fb3ef70a83abb23141e423fb36a42ec.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
warzonerat
panchak.duckdns.org:5050
Targets
-
-
Target
4ec081f16baabe564b1038b86fe09f8b6fb3ef70a83abb23141e423fb36a42ec.exe
-
Size
1.0MB
-
MD5
aaa75ef6b31883aada3cbe14a3b000be
-
SHA1
73aca3c4d320afe0ae23a71831d6cc5528ea6c71
-
SHA256
4ec081f16baabe564b1038b86fe09f8b6fb3ef70a83abb23141e423fb36a42ec
-
SHA512
5f34f8f142fc3d456468df9ed6a05e540af3eac13e10592470a552900b609b921f30d727f22c21a0959de7932c6c3dde6558833119739bb3457a4e183d142799
-
SSDEEP
12288:VVmvSJR+u2NxZecauQFNV/7Md2kuhbV/VTpxE+22NNeT7gGpidVIcM3Uh664cYXC:+zloV5y1nsloHGgunvfD
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-