General
-
Target
989eb1236e51ff39370f7a2ab5778524_JaffaCakes118
-
Size
321KB
-
Sample
240605-tvpegscg27
-
MD5
989eb1236e51ff39370f7a2ab5778524
-
SHA1
0ba34fcdc8e80eb6e55c2f02917984b86b0e2a79
-
SHA256
9792aed76169db669e7d894af5961347d5ede08320a9b9954ebaae7f7bc8a5f7
-
SHA512
4e0ebef6f892e2c3f73bb3f0a5db8c8e515f00731ed0a5663425ff8d97d6f4814a112a46067f1674c3aa36560566d3e6a0b86ff48d36ad70c65d2be6b768cc7e
-
SSDEEP
6144:BGSzYBenk6VEJD6LpK78PyY3h2YDdsaD8:BGS7k6VEt63PRh1dH4
Malware Config
Extracted
warzonerat
info1.dynamic-dns.net:5552
Targets
-
-
Target
989eb1236e51ff39370f7a2ab5778524_JaffaCakes118
-
Size
321KB
-
MD5
989eb1236e51ff39370f7a2ab5778524
-
SHA1
0ba34fcdc8e80eb6e55c2f02917984b86b0e2a79
-
SHA256
9792aed76169db669e7d894af5961347d5ede08320a9b9954ebaae7f7bc8a5f7
-
SHA512
4e0ebef6f892e2c3f73bb3f0a5db8c8e515f00731ed0a5663425ff8d97d6f4814a112a46067f1674c3aa36560566d3e6a0b86ff48d36ad70c65d2be6b768cc7e
-
SSDEEP
6144:BGSzYBenk6VEJD6LpK78PyY3h2YDdsaD8:BGS7k6VEt63PRh1dH4
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-