General
-
Target
irs no 2931F?YAT ?STEM? HK. - 285387.exe
-
Size
535KB
-
Sample
230406-hs9f4abh55
-
MD5
5ccf7ffa4a0613c3bca058badb2a506e
-
SHA1
89f5fc5f463582d4b74b86cb716b3f6c98eef018
-
SHA256
83feaa7f117937d31019d3ec4833e4a7080c26d807de62556c5ee08d4f00ba72
-
SHA512
91a99238f9993b1eb721df680120750e295717bfc9d1c64dc6f3778744d74d5e29bcbe27553902048ae01c524babf2322a266a7dff00107be72935a358216069
-
SSDEEP
12288:RP9RcweXsub99E/osSqpCJABBzDnnFyo:7YPYosPBnF
Static task
static1
Behavioral task
behavioral1
Sample
irs no 2931F?YAT ?STEM? HK. - 285387.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
irs no 2931F?YAT ?STEM? HK. - 285387.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
warzonerat
kellerwarzone.ddns.net:5200
Targets
-
-
Target
irs no 2931F?YAT ?STEM? HK. - 285387.exe
-
Size
535KB
-
MD5
5ccf7ffa4a0613c3bca058badb2a506e
-
SHA1
89f5fc5f463582d4b74b86cb716b3f6c98eef018
-
SHA256
83feaa7f117937d31019d3ec4833e4a7080c26d807de62556c5ee08d4f00ba72
-
SHA512
91a99238f9993b1eb721df680120750e295717bfc9d1c64dc6f3778744d74d5e29bcbe27553902048ae01c524babf2322a266a7dff00107be72935a358216069
-
SSDEEP
12288:RP9RcweXsub99E/osSqpCJABBzDnnFyo:7YPYosPBnF
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-