Extracted

• • Target

    RFQ 8976765564566787978754566787909875654567.scr

  • Size

    557KB

  • MD5

    f302ac3931ec4406589e92bb0ceb5a05

  • SHA1

    e9fc3f3264cd3a1ec6023493a5c96c2ba317755f

  • SHA256

    6b83778b6931df0a74268e44daf5ca87dee79b0360b1022e6976281c5a1c58de

  • SHA512

    a3ce33d824ccd13a368e974d0df5d33081474652223280fd8464339f59a2598d80b8c83490b543a3d2cb09af60d4a342fe918fdb72076dafe4fdfe954817922c

  • SSDEEP

    12288:8zll9Z7a0GM4Rb9So1JELBYaKMwHI3lpa+zD56gsjFQX0zHVjczn4SB0AjlEVwtw:qawL6Ib/N6zjFQERQn4SB1jRti

  Score

  10^/10

  warzoneratdefense_evasiondiscoveryexecutioninfostealerpersistencerat

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzonerat family

    warzonerat

  • Warzone RAT payload

    rat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Server Software Component: Terminal Services DLL

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Modifies WinLogon

    persistence

  • Hide Artifacts: Hidden Users

    defense_evasion

  • Suspicious use of SetThreadContext

  behavioral1behavioral2