Extracted

• • Target

    LisectAVT_2403002A_44.exe

  • Size

    250KB

  • MD5

    1de50898c006fcc7d1924a6df312f8e2

  • SHA1

    7b1ae04725421af4e1609bc1594d01691643613f

  • SHA256

    f901f4b9437419d09352abcdec1a1e7bb1b511adbee059c42695753575b2b77c

  • SHA512

    60d919aabbe922194e52e4b3834fb2ef8242427e851bff023cf3059c4bbf8574df318667b790638f7fc995872e2e35b572a4b0f3991dfc61150b1bba4b40d79c

  • SSDEEP

    6144:jNc88VTZVxiL2CzS3vlm8LkuJKjWZSLV64:y88Vt7iLVWvU8LdmV

  Score

  10^/10

  warzoneratcollectioncredential_accessdefense_evasiondiscoveryevasioninfostealerpersistenceprivilege_escalationratspywarestealerupx

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Warzone RAT payload

    rat

  • Modifies Windows Firewall

    evasion

  • Server Software Component: Terminal Services DLL

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Accesses Microsoft Outlook profiles

    collection

  • Modifies WinLogon

    persistence

  • Drops file in System32 directory

  • Hide Artifacts: Hidden Users

    defense_evasion
  behavioral1behavioral2