General
-
Target
b84b9a63842c6e568d82e4cbf8a2df7b_JaffaCakes118
-
Size
670KB
-
Sample
240617-m9l5caxhrg
-
MD5
b84b9a63842c6e568d82e4cbf8a2df7b
-
SHA1
7c616240ed237f43af94e9e5b24fd051c051be5e
-
SHA256
8787202b2bdc72567ca866f0398c2920de836163f76f8c245d71989999d3b1d7
-
SHA512
0d579dc841e29fdf8f6036a8f4b750acbef8303244f033949b0a6dc6a719f14d47aca1249fef2dc4b34f80ad847813057eaaac8265d223051efeecf8356ef042
-
SSDEEP
12288:cBHN5X1fHRJCL49nKGPSitGzXp7ud25AYimewlPlRaG3Pg+Idn5+sa9Takv6:2zrJCL4wGnQ75ud2phlPlRaG3I+Id5+E
Static task
static1
Behavioral task
behavioral1
Sample
PO-45658467.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
PO-45658467.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
warzonerat
xilogrid.info:6080
Targets
-
-
Target
PO-45658467.exe
-
Size
729KB
-
MD5
19120c7a5b3a173b1e71a749d1f838f2
-
SHA1
31b10a31a42a1c6537675beadd9cb67ac2ad7a47
-
SHA256
8a69ef9bfb807a216e604cbf01b7b5d394057d0615e29bf44d6bd7ed1122714d
-
SHA512
9bb75899fab3bdfccf2c59ebf2d94cd90209ea7bb5d766a3d33e574d4c8900e04cecfb16d7930d5cf024d908a42d08701ac7861db751adf55c6d58d252dd42e0
-
SSDEEP
12288:wgYlw5n11fRJCvA97KGxSVt4rpkxnFzSWuN2JSB5+UyUDJ8X+am9jK:n3xJCvAIGqt4rpkxwzN2M5dF0+t9jK
Score10/10-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-