Extracted

• • Target

    ESCO-PO-Q10056286.exe

  • Size

    793KB

  • MD5

    ea6118b2fe55e3acc84115be3edaa2f5

  • SHA1

    c712674a10c04c03271635c51db9fd38f62dac0e

  • SHA256

    0749beb8fd852d4d82f7e2917f861ac4d8ec36b1363b6df47b202e3120aebd12

  • SHA512

    a5a2337045e7f95dd7dd00d06f7f08da9202b528c1f4532d48a7b5f994daa953355631dd643334e86a4bbd6517df239dcbc3d189e555df05fb4986ff5fa6b618

  • SSDEEP

    24576:r92LKyG5+emhIIiE3ZPbXJ/hMe25Whpw8P:gFG/lQJDVhk5WHfP

  Score

  10^/10

  guloaderwarzoneratdiscoverydownloaderinfostealerratevasionpersistenceupx

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzone RAT payload

    rat

  • Modifies Windows Firewall

    evasion

  • Sets DLL path for service in the registry

    persistence

  • Checks QEMU agent file

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Modifies WinLogon

    persistence

  • Drops file in System32 directory

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2