General
-
Target
4b541ff698f1b6cb633140e65dcb6f5f.bin
-
Size
550KB
-
Sample
241021-zkqgpaxdlq
-
MD5
e4fadcb958fd3deb716e63cbf51a2845
-
SHA1
c0a526eca6fcc5fb0f79f3025465d49dfa103ec6
-
SHA256
0e20d445741dbc0c671113b540f82726f9d7463154ac1acf3806c38a7fb39341
-
SHA512
abf8e931f9bf85927dfff534d0068e22ae1799426e3d98c66272a74153bf9d51ab55a9aed477a06a9692c630a2cb7e96969fc07d35d254ee75d0e4000c0887d1
-
SSDEEP
12288:PFXXJUCKF6E2mSUR5phuD1sWFUtklaTMByND99o9Y3bVE0M0rl7Z:pX/KF6E2mnphI1JcklB8X9o9Yxg0rv
Static task
static1
Behavioral task
behavioral1
Sample
f5e1b30ec44e8c2a6e6a3c67bf7a5ecd7474c978668724eb49141608a3a60add.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f5e1b30ec44e8c2a6e6a3c67bf7a5ecd7474c978668724eb49141608a3a60add.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
warzonerat
omc2015asm.ddns.net:5201
Targets
-
-
Target
f5e1b30ec44e8c2a6e6a3c67bf7a5ecd7474c978668724eb49141608a3a60add.exe
-
Size
784KB
-
MD5
4b541ff698f1b6cb633140e65dcb6f5f
-
SHA1
78a89671c275e0498f66393d2bf0c0d9ca84569e
-
SHA256
f5e1b30ec44e8c2a6e6a3c67bf7a5ecd7474c978668724eb49141608a3a60add
-
SHA512
3f12c2b92a990df809e689607fce5e9d3135fe467759bfa4ed1dccc0fb98df71cfca85db904fc185c17b697a2540b44bc55ad26214a662f5ae11b25ae0b70639
-
SSDEEP
12288:Iwh6wEx2iNNFR9YJcR8bNvX+nXq2ow+Ubm1Dt4:Kwk1fFLakaNvX+swK
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-