Extracted

• • Target

    NEAS.92b4986bc8e2e6631dbfa1e09fb95300.exe

  • Size

    576KB

  • MD5

    92b4986bc8e2e6631dbfa1e09fb95300

  • SHA1

    15207ba5bbaef76321752be90dba3ebcdc6b685c

  • SHA256

    134601a3fa4dd4f8acd601bd1fd03f0f2acfbfc75e98731e140f9f0a362c017f

  • SHA512

    e65b2d9712435a85a2d50f6c292d857ad7b3e04e0553b23d0d32526c3ede03ffab4667e9d899bc11c012bef018666645e97727a65fda5d0e02679a9e906659d0

  • SSDEEP

    12288:el3zhdaE/jMRSrv0BNTMZtTQhm/iBjhrtDUnjP7Gu72JDl9gNaS:i31QEoRSrv0BNT8ehm6ROjiu7aD

  Score

  10^/10

  warzoneratinfostealerpersistenceratevasion

  • Modifies WinLogon for persistence

    persistence

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Nirsoft

  • Warzone RAT payload

    rat

  • Stops running service(s)

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2