General
-
Target
49c21f3186b335344bdcf60a381000d795da7aaa94a0b65d522899703bd7c149
-
Size
498KB
-
Sample
240417-q5jefaad97
-
MD5
e79815a740e092ac0dc19217de1a4f3e
-
SHA1
3ada978a3f5060cc980cdbe54cbc0cbe2cf139f1
-
SHA256
49c21f3186b335344bdcf60a381000d795da7aaa94a0b65d522899703bd7c149
-
SHA512
df91486c176a68357deff7ef5ba5ede611941e35f5be5aff0f7dfa50ece40e835be8479c7104b3a786947d1d319920ae0a00ef29c9badfad805e7d3e9e825bae
-
SSDEEP
12288:BpMLAVhZY+Qcy2Wj7mvH0fO3X65bJiE7OiGhfoO:BpMLAjS3fjyvkuKtJiQOuO
Static task
static1
Behavioral task
behavioral1
Sample
74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
warzonerat
51.77.167.59:5951
Targets
-
-
Target
74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447.exe
-
Size
577KB
-
MD5
a9862010588f43a61bd317483b93947b
-
SHA1
31987c99822c71a38cebc13d8d3261833313a77c
-
SHA256
74ab97b09af8d1277126ff92b065ce8f08c3dc28f17745e78c0d8fcf0e8b5447
-
SHA512
1ac4380dfb2c8cea6a4071c56d6cbf21a17cb79c791fe264dbe65b5f72749dd159918810d0ab00cbb84b8531e464f2c697d8d00fc34b7044228096a5d7dd06b1
-
SSDEEP
12288:er3Qp5I9xWZvHgYAXGWKkv5oT4sIrT9t4GH:ejOySRA2nsRNH
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-