Overview

overview

10

Static

static

1

6fad4976da...59.exe

windows7_x64

10

6fad4976da...59.exe

windows10_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    19-04-2021 17:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fad4976da2bd04abe815d5d70abcb59.exe

  • Size

    328KB

  • MD5

    6fad4976da2bd04abe815d5d70abcb59

  • SHA1

    efd9f13ce017f7da924f24c6a101c8e79a2cc01c

  • SHA256

    b63510ef1f908a56031aa259b42890edd4fea137cbfcc32cd3855b6f77e4a31f

  • SHA512

    e1eba88f62771fdeeac6f7e6b0cbd63ec72bbe294290ccb42bf5ef52d362f1d879ef757e3e95265295101410d51f6c466ec2e213e824d901d3374e9f5d1de430

Score
10/10
warzoneratinfostealerrat

Malware Config

Extracted

Family

warzonerat

C2

cbngroup.duckdns.org:38050

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT Payload 1 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fad4976da2bd04abe815d5d70abcb59.exe
    "C:\Users\Admin\AppData\Local\Temp\6fad4976da2bd04abe815d5d70abcb59.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Users\Admin\AppData\Local\Temp\6fad4976da2bd04abe815d5d70abcb59.exe
      "C:\Users\Admin\AppData\Local\Temp\6fad4976da2bd04abe815d5d70abcb59.exe"
      2⤵
        PID:608

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nscF9FA.tmp\pr91qdefohr4.dll
      MD5

      2793a1683214a938db61cde98d8e28d6

      SHA1

      8b6c9a97d715e0547eeb3c18879c6245fbb2de94

      SHA256

      f179ff7bbd354c6f934f45281198702cf3e896bc5848766445169685ea3aff33

      SHA512

      6fd635932a0d6e9c647ca63b272990b4fc62b5778598b1518ec734747708ab625f64d84f4361b765ceac21973a548ea13b962f49fbe95421cbfdf74b7ef29b14

      Download Submit
    • memory/608-63-0x0000000000405CE2-mapping.dmp
      Download
    • memory/608-65-0x0000000000400000-0x0000000000554000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1268-59-0x0000000075591000-0x0000000075593000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1268-61-0x0000000002480000-0x00000000030CA000-memory.dmp
      Filesize

      12.3MB

      Download