Extracted

• • Target

    DAU7WuTeQv0

  • Size

    608KB

  • MD5

    1acbfb6d275b47369ff413b74fdf8978

  • SHA1

    e61f1d412838db72e4d175e3e1aa053d628f6dcf

  • SHA256

    09ffc5eae2b9cce4ee691bfa07230ed2e68ce1f0479ba3cd5180de315dd80ca2

  • SHA512

    41ac9918705ad4a43347fcadb08972ccdf33b478a50cf9ec8a84a44eae0c45906e75022d178f13e08afb84b60e5bb5ee8c4c8cc509f91dd82010e93bf572e83f

  • SSDEEP

    6144:wgO8wh8wD8wY8w58wu8wO8wW8wd8wx8wAPnCtF:wH8m8q8x8K8X8D8N8q808ZPk

  Score

  10^/10

  warzoneratagilenetaspackv2defense_evasiondiscoveryevasionexecutioninfostealermotwpersistencephishingratrezer0trojan

  • UAC bypass

    evasiontrojan

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • ReZer0 packer

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0

  • Warzone RAT payload

    rat

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Powershell Invoke Web Request.

    execution

  • Disables Task Manager via registry modification

    evasion

  • Downloads MZ/PE file

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Executes dropped EXE

  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Mark of the Web detected: This indicates that the page was originally saved or cloned.

    phishingmotw

  • Suspicious use of SetThreadContext

  behavioral1