Extracted

• • Target

    GN9RraXeXEBgOFw.exe

  • Size

    502KB

  • MD5

    a1e4735b4aaecb5d1e7b2b14c9f10b9f

  • SHA1

    3345d8e116ddef9ca6ae902d427902299b54cce3

  • SHA256

    e829d7199bc4b9903390779d67bc19fd7ecf51f5f9d449903e5baad0109e59a8

  • SHA512

    ea04af1c3fdf7caf771384e9f5f710e850f0c1e8d5e00c03ec4fd8fee3c56f03d784c0db0ca9ca702a2650d6bba1b45971b6fd3a524dc7ec72db4625a05ad091

  • SSDEEP

    12288:TBi0blTWLxWzw2LRYYDLieFAh+Zf5tT0/:ljlTWLxU7HieFECh+

  Score

  10^/10

  warzoneratinfostealerratcollectionpersistencespywarestealer

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzone RAT payload

    rat

  • Sets DLL path for service in the registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Modifies WinLogon

    persistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2