Extracted

• • Target

    5e4fa07bf0f249c715efac189ccd912b2c47f3117db72d2a96f9cc87080a910e.exe

  • Size

    1.0MB

  • MD5

    5ff5712069f1f56f5f7ce88bca97ba2e

  • SHA1

    2e4fcebc6f2cf1f4d7662f84aaf73ff189629cdb

  • SHA256

    5e4fa07bf0f249c715efac189ccd912b2c47f3117db72d2a96f9cc87080a910e

  • SHA512

    b5a97229f302664931e893d9123ee7fcf1be80832e0160de107a36b1ae697231ad548a48333412e47247f899138c5a091e7d3616d683ba389469bfb493878a25

  • SSDEEP

    24576:y6nVMk+HIj90cmvFMN8O663kAjMEF/Jfwocd5xShmmpGfPFa:xVz7tWqK63YSJf/Qx8dpGc

  Score

  10^/10

  warzoneratdiscoveryinfostealerpersistencerat

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzone RAT payload

    rat

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2