General
-
Target
Quotes_pdf.bin.zip
-
Size
71KB
-
MD5
05506cd73c30d0395f41a788e5918ffd
-
SHA1
4dd0f6c650d4b707d38e45463da26dcb65d0d5e2
-
SHA256
53af37226826dda2ac05ec2121cda81553a1933e6adebd95dcd0ce3972461d7d
-
SHA512
0b2d751b248c331ac9906c0897167c072fd67b9a93fa246d905caa8f8f00ff45aa5f02657fe1670d9c32c6db532415bb96ad1d2ac032a1d821647461a341bc82
-
SSDEEP
1536:/XBM28VkVozkIPWeaKO0IsSq7toE+jMJOs5U1SZKrUuLCGRyEFW:RrIPWeaLsSP4+MK45GcEg
Malware Config
Extracted
warzonerat
185.157.162.75:4002
Signatures
-
Warzonerat family
Files
-
Quotes_pdf.bin.zip.zip
Password: infected
-
Quotes_pdf.bin.exe windows x86
b9494f92817e4dfbe294ad842e8f1988
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
bcrypt
BCryptGenerateSymmetricKey
BCryptDecrypt
BCryptSetProperty
BCryptOpenAlgorithmProvider
ntdll
NtQueryInformationProcess
RtlInitUnicodeString
RtlEqualUnicodeString
kernel32
GetModuleHandleA
GetCommandLineA
GetStartupInfoA
HeapFree
VirtualAlloc
HeapReAlloc
VirtualQuery
TerminateThread
CreateThread
WriteProcessMemory
GetCurrentProcess
OpenProcess
GetWindowsDirectoryA
VirtualProtectEx
VirtualAllocEx
CreateRemoteThread
CreateProcessA
WriteFile
CreateFileW
LoadLibraryW
GetLocalTime
GetCurrentThreadId
GetCurrentProcessId
ReadFile
FindFirstFileA
GetBinaryTypeW
FindNextFileA
GetFullPathNameA
GetTempPathW
GetPrivateProfileStringW
CreateFileA
GlobalAlloc
GetCurrentDirectoryW
SetCurrentDirectoryW
GetFileSize
FreeLibrary
SetDllDirectoryW
GetFileSizeEx
LocalAlloc
lstrcmpW
WaitForSingleObject
CreateProcessW
VirtualProtect
SetFilePointer
ReadProcessMemory
VirtualQueryEx
GetModuleHandleW
IsWow64Process
WaitForMultipleObjects
CreatePipe
PeekNamedPipe
DuplicateHandle
SetEvent
ExitProcess
GetModuleFileNameW
LoadResource
FindResourceW
GetComputerNameW
GlobalMemoryStatusEx
LoadLibraryExW
FindFirstFileW
FindNextFileW
GetLogicalDriveStringsW
DeleteFileW
CopyFileW
GetDriveTypeW
EnterCriticalSection
GetTickCount
InitializeCriticalSection
DeleteCriticalSection
CreateMutexA
ReleaseMutex
TerminateProcess
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
WinExec
Wow64DisableWow64FsRedirection
GetSystemDirectoryW
Wow64RevertWow64FsRedirection
Process32First
Process32Next
SizeofResource
GetTempPathA
LockResource
lstrcpyW
WideCharToMultiByte
lstrcpyA
Sleep
MultiByteToWideChar
lstrcatA
lstrcmpA
lstrlenA
ExpandEnvironmentStringsW
lstrlenW
CloseHandle
lstrcatW
GetLastError
VirtualFree
SetLastError
GetModuleFileNameA
CreateDirectoryW
GetProcAddress
LoadLibraryA
GetProcessHeap
CreateEventA
HeapAlloc
LocalFree
LeaveCriticalSection
user32
CreateDesktopW
CharLowerW
GetKeyState
GetMessageA
DispatchMessageA
CreateWindowExW
CallNextHookEx
GetAsyncKeyState
RegisterClassW
GetRawInputData
MapVirtualKeyA
DefWindowProcA
RegisterRawInputDevices
TranslateMessage
wsprintfA
GetKeyNameTextW
PostQuitMessage
MessageBoxA
GetLastInputInfo
GetForegroundWindow
GetWindowTextW
ToUnicode
wsprintfW
advapi32
LookupPrivilegeValueW
AdjustTokenPrivileges
AllocateAndInitializeSid
OpenProcessToken
FreeSid
LookupAccountSidW
GetTokenInformation
QueryServiceStatusEx
InitializeSecurityDescriptor
RegDeleteKeyA
SetSecurityDescriptorDacl
RegCreateKeyExW
RegSetValueExA
RegDeleteValueW
RegQueryValueExW
RegOpenKeyExW
RegOpenKeyExA
RegEnumKeyExW
RegQueryValueExA
RegQueryInfoKeyW
RegCloseKey
OpenServiceW
ChangeServiceConfigW
QueryServiceConfigW
EnumServicesStatusExW
StartServiceW
RegSetValueExW
RegCreateKeyExA
OpenSCManagerW
CloseServiceHandle
RegDeleteKeyW
shell32
SHFileOperationW
ShellExecuteExW
SHGetSpecialFolderPathW
SHCreateDirectoryExW
ShellExecuteW
SHGetKnownFolderPath
ShellExecuteExA
SHGetFolderPathW
urlmon
URLDownloadToFileW
ws2_32
getaddrinfo
setsockopt
freeaddrinfo
htons
recv
connect
socket
send
WSAStartup
shutdown
closesocket
WSACleanup
InetNtopW
gethostbyname
inet_addr
ole32
CoInitialize
CoUninitialize
CoCreateInstance
CoInitializeSecurity
CoTaskMemFree
shlwapi
PathFileExistsW
PathFindExtensionW
StrStrW
PathRemoveFileSpecA
StrStrA
PathCombineA
PathFindFileNameW
AssocQueryStringW
netapi32
NetLocalGroupAddMembers
NetUserAdd
oleaut32
VariantInit
crypt32
CryptUnprotectData
CryptStringToBinaryA
CryptStringToBinaryW
psapi
GetModuleFileNameExW
Sections
.text Size: 84KB - Virtual size: 84KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 20KB - Virtual size: 19KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 42KB - Virtual size: 1.2MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.bss Size: 512B - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ