Extracted

• • Target

    4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118

  • Size

    1.8MB

  • MD5

    4e7eb50a75f8bf74751576cdd5381809

  • SHA1

    7e0dfbdd505b9451513b828e4d392e164fe566e9

  • SHA256

    0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c

  • SHA512

    05b9ae0aef714798034ac0c271f5a1ef44221e9b56480f6de3e07d9e94e438bd0ba11ef44c6ff48267d0d9a94ec18355641c67d744d51326c8c7569048b660f3

  • SSDEEP

    49152:d4FrOycrk+0UpzJtKQFHJSm4DO9qSk/kK:scrv0YTKQFHJSmeAHK

  Score

  10^/10

  hiveratwarzoneratdiscoveryinfostealerratstealer

  • HiveRAT

    HiveRAT is an improved version of FirebirdRAT with various capabilities.

    ratstealerhiverat

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • HiveRAT payload

  • Warzone RAT payload

    rat

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

  behavioral1behavioral2