Extracted

• • Target

    cc0fdb6946afd11917588ce448b752e3f49debcd09d2e4d6c6d04cc1dc774e92

  • Size

    610KB

  • MD5

    06fe875e4701de15eb98fef1e228d32b

  • SHA1

    cca987129e4a7ce3a9853e419ccdac32130310d3

  • SHA256

    cc0fdb6946afd11917588ce448b752e3f49debcd09d2e4d6c6d04cc1dc774e92

  • SHA512

    276b4d6d9e4e5f7176adc19fc38c377179847d76ac53ee49dc7a318cab3a222115aa96cc90ded61f4ef6a724d0a782da5f0315867f55045ed31fbc822f436e5e

  • SSDEEP

    12288:NqrK4A9bRZmqRiYmeTLBxg6NEtuhc07M6qAvqp9YfvkR:UrKHmqnmiLBx5NEYhcmM6q8qp2q

  Score

  10^/10

  warzoneratdiscoveryexecutioninfostealerrat

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzonerat family

    warzonerat

  • Warzone RAT payload

    rat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2