General
-
Target
a30c028b3b9adef48e823339bf1f8d37131612b2e18a8e154e941e968e348569
-
Size
1.0MB
-
Sample
240226-1kv8lshc51
-
MD5
81a64ccbbef9671558f38d8ef1538e39
-
SHA1
c0c7571c367eac71ad1121f56fbce4763ce22448
-
SHA256
a30c028b3b9adef48e823339bf1f8d37131612b2e18a8e154e941e968e348569
-
SHA512
9858d0e46311ca6cfbbc66a046d8d9c2f3970640e7d4cdfd31c1d3c2260871415457c2982816f331ec7faa2ed161ae8215940f57f49449b414c0d0fe3b97992b
-
SSDEEP
12288:bocruvY5lZG8Z1CgOsS8DW8V1JmBgS43KCZE5ZFgJAzClLKTgulyAKp:boYuv8lZLOsZDvXJEgSGU0ulWp
Static task
static1
Behavioral task
behavioral1
Sample
a30c028b3b9adef48e823339bf1f8d37131612b2e18a8e154e941e968e348569.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a30c028b3b9adef48e823339bf1f8d37131612b2e18a8e154e941e968e348569.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
warzonerat
godblessking.ddns.net:1991
Targets
-
-
Target
a30c028b3b9adef48e823339bf1f8d37131612b2e18a8e154e941e968e348569
-
Size
1.0MB
-
MD5
81a64ccbbef9671558f38d8ef1538e39
-
SHA1
c0c7571c367eac71ad1121f56fbce4763ce22448
-
SHA256
a30c028b3b9adef48e823339bf1f8d37131612b2e18a8e154e941e968e348569
-
SHA512
9858d0e46311ca6cfbbc66a046d8d9c2f3970640e7d4cdfd31c1d3c2260871415457c2982816f331ec7faa2ed161ae8215940f57f49449b414c0d0fe3b97992b
-
SSDEEP
12288:bocruvY5lZG8Z1CgOsS8DW8V1JmBgS43KCZE5ZFgJAzClLKTgulyAKp:boYuv8lZLOsZDvXJEgSGU0ulWp
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables containing artifacts associated with disabling Widnows Defender
-
Detects executables containing bas64 encoded gzip files
-
Detects executables embedding command execution via IExecuteCommand COM object
-
Detects executables potentially checking for WinJail sandbox window
-
Warzone RAT payload
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-