Extracted

Extracted

• • Target

    Screen Recording 2025-03-06 180718.mp4

  • Size

    44.3MB

  • MD5

    02bbb635746e846d73066322261287b3

  • SHA1

    f68f8295c7ab22de40e1585f77497d74c4f89e2e

  • SHA256

    aadd7cdd3848c8c1755677839c043d17005722f8fde2dc9c4b443d500074674d

  • SHA512

    2c4b8112f026e1a51c70f5fca81d057786f4e13a8d7cf8d53474c3ca0242e28506bb5d58ddd41c5e89c54aeab6731f6950f3797bef5bbd415f62f0baaef15a60

  • SSDEEP

    786432:GGgr1sZU9600jlhyveuY5FyIeV0IfjVmj21SZkIYaUU08EPvuiSTOmXpJnr3E:GpEVHjlhIeuOr80802I0aUU0d+T7XpdE

  Score

  10^/10

  metasploitwarzoneratbackdoordefense_evasiondiscoveryinfostealerpersistenceratrezer0trojan

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Metasploit family

    metasploit

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzonerat family

    warzonerat

  • ReZer0 packer

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0

  • Warzone RAT payload

    rat

  • Blocklisted process makes network request

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • System Binary Proxy Execution: Rundll32

    Abuse Rundll32 to proxy execution of malicious code.

    defense_evasion

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1