Extracted

• • Target

    file.exe

  • Size

    403KB

  • MD5

    0bbf771c23e77d0f67ac68e739f8bd5b

  • SHA1

    ca5612a8739476297c7b8535f7a34f020bacf8a8

  • SHA256

    8c95992bf35e5bc0d46244bf2330bec5711f409cb7fba2a2d52c28ed54ca4e80

  • SHA512

    cdc58bb031e9fe1691691a5dc4ca51d35754efae67f6919f47ec47681b6a2d938b82f2fbbe605b14ab2e84a4eabfd5b9545b40419491defbd92f65820bc0a538

  • SSDEEP

    6144:hP1IAsudOs2633urCApOlOpT/leT78bJFdIY/xDDDzjltY7QMq/TfL9Y2bd:bisH3eCApOUpT/ccWUZlCCjLeE

  Score

  10^/10

  warzoneratevasioninfostealerpersistencerattrojan

  • UAC bypass

    evasiontrojan

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Windows security bypass

    evasiontrojan

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Warzone RAT payload

    rat

  • Looks for VMWare Tools registry key

    evasion

  • Sets service image path in registry

    persistence

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2