Extracted

• • Target

    NEW ORDER.exe

  • Size

    64KB

  • MD5

    35c834fc25778529bde95c02a5305d84

  • SHA1

    50dc363ea605f63ea2e11518c82d199e588dd2bd

  • SHA256

    2db1ee71637f8e3431085b022e05551e621d8ca97215495a1304e016f4ceb74d

  • SHA512

    d64e0107d03ed8f478d65a8e531982faf49d741bf23c6abe8c3f8699693a4cf81cf633afe28bd44bf263b9a9a6b04a282b206d7ce7aca121f1a3b9cb33c73f59

  • SSDEEP

    1536:fra2PYE8+se630VDcM7TPxdF8o75F943hh:fra2gE8+SEVDcMfxvXX4

  Score

  10^/10

  warzoneratcollectionevasioninfostealerpersistenceratupx

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzone RAT payload

    rat

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Sets DLL path for service in the registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Accesses Microsoft Outlook profiles

    collection

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2