Extracted

Extracted

• • Target

    RTC_Launcher.exe

  • Size

    642KB

  • MD5

    aa4a09b39e2f72a5de8a474893930b0b

  • SHA1

    2dd5a014d3a1bc46e5caa0f64fdf6367e2d1fd75

  • SHA256

    8f7a2e285633068b4aaac96a8c0335c6e015cbe1f297b9a67b71c20505b743c4

  • SHA512

    97488b8cddb73d34daa9775cfe617ccd045ad009ca5b069c967c5efef8f6a6c1b86f5521d6b5eb49c232d69fe75c6d5a7e62bd915f316326a5941e5d3ca85b45

  • SSDEEP

    12288:ENoZIcBkqjVnl36ud0zR/6CtQ9PUHIG8DZ:2oZzkqjVnlqud+/2P+A

  Score

  10^/10

  metasploitwarzoneratbackdoordefense_evasiondiscoveryexecutionimpactinfostealermacromacro_on_actionransomwareratrezer0trojan

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit

  • Metasploit family

    metasploit

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat

  • Warzonerat family

    warzonerat

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • ReZer0 packer

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0

  • Warzone RAT payload

    rat

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    defense_evasion

  • Office macro that triggers on suspicious action

    Office document macro which triggers in special circumstances - often malicious.

    macromacro_on_action

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of SetThreadContext

  behavioral1