Extracted

• • Target

    2459be14b56351298c04745ef9e1744a_JaffaCakes118

  • Size

    331KB

  • MD5

    2459be14b56351298c04745ef9e1744a

  • SHA1

    3e9bdbe35c26382ff7693de05f6003302d915e45

  • SHA256

    01befc1773d5b3c161ae2b607778ce781283735071f0c93fef45ea24afb0458d

  • SHA512

    5a6050b615ffc473441482637d9d64ca8f23239f3b41c62be3015ae72c5c26e5afc28113ea84a491d230579706214676303f79bb6aa5868295b1ff01c59bd3b2

  • SSDEEP

    6144:CLF0EDwIH6PWfikh+PoSAkQ8iV9HD9VNIK+B2Dhx0IxY+:6ekwu4W5wZAkQnHBVKPO0B+

  Score

  10^/10

  warzoneratdefense_evasiondiscoveryexecutioninfostealerrat

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzone RAT payload

    rat

  • System Binary Proxy Execution: Regsvcs/Regasm

    Abuse Regasm to proxy execution of malicious code.

    defense_evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Suspicious use of SetThreadContext

  behavioral1behavioral2