Extracted

• • Target

    ODEME.exe

  • Size

    1.4MB

  • MD5

    1afac30d0748bd539783d4346facbcb3

  • SHA1

    5c4492047f046ee05f8f8d105f3e757180f0ff10

  • SHA256

    966794e8fc1be091307b4aaeee721920734278ddae04eda17f205ffada16422c

  • SHA512

    cd60b13f34d2e14b966dc0f6128f24a1ce79d8946b1bcf9176d35d93193ddf7f03d214427ad5ae75fcc67f96f20242ebc512e449e6fd1856bfb7faacdb7ddd8c

  • SSDEEP

    24576:wNA3R5drXmDgFJ1awm2KcREhI2gdFtyxSKBXk9ZDJFABAWbDT1F4RjpTSsAgb/L+:p5UVwlihHkeC9ZfqrbDn4i6L+

  Score

  10^/10

  warzoneratinfostealerpersistencerat

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzone RAT payload

    rat

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2