Extracted

• • Target

    4e7b587955e5bbae4252f39d3d646e343831f79b18435a29cb2ee0320f0c0d00.exe

  • Size

    474KB

  • MD5

    1532db0a3045edde067ec5a1c1dc7cc4

  • SHA1

    d390d55dfc7fd06c6b71df8f3fa2d6d3e6b8ebf8

  • SHA256

    4e7b587955e5bbae4252f39d3d646e343831f79b18435a29cb2ee0320f0c0d00

  • SHA512

    929b7640303982d908459e4c213d65c52fea82d77180db9d968f62cca14b455a2acc9a49b6d40687962aa652964d56b7d7d3475e762c45c0205660ca3d364257

  • SSDEEP

    12288:J8SIbw8eGrT3jSrmLdyHcrfokLSN0hGbpqJFTP2:JEbw8eGrTTjZy8rAoSN0EFqi

  Score

  10^/10

  discoveryevasionwarzoneratinfostealerrat

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzonerat family

    warzonerat

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Warzone RAT payload

    rat

  • Looks for VMWare Tools registry key

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2