Extracted

Extracted

• • Target

    sample

  • Size

    66KB

  • MD5

    5b1dda0fcbad4bff1333b2127c1b0c49

  • SHA1

    9d25f7040b6873cb322aedaefe3f9f55311da90d

  • SHA256

    4ca41a640085e2ca954e641790ed976dfe97e35e68a01c6a6b0bcbf92ec2141a

  • SHA512

    9d0230e1df2542bb48903fcbc0e33d42a5428520e344ce814831c72ab254534b3d311dab3f6afdf919afa0066ea50d11f0afeea337294a513c9bdc88487e7751

  • SSDEEP

    1536:o69UFLCCwNieoupehNFZuSuWtWWxbRo1HrqAjcNS2WkESpRI6ZsnJVr+YS05a76h:n9UFLhwjyRo1HrqAjcNS2WkESpRI6Zsx

  Score

  10^/10

  crimsonratwarzoneratdiscoveryevasionexecutioninfostealerpersistenceransomwareratrezer0

  • CrimsonRAT main payload

  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat

  • Crimsonrat family

    crimsonrat

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzonerat family

    warzonerat

  • ReZer0 packer

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0

  • Warzone RAT payload

    rat

  • Disables Task Manager via registry modification

    evasion

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Modifies WinLogon

    persistence

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of SetThreadContext

  behavioral1