Behavioral Report

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2022 05:57

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

jfilyg7.exe
Size

383KB
MD5

96b5dcad2ade88e0c99e84b4869224e7
SHA1

f23d4988ca9ef6fcf9e219dd249eff9988d5f7c5
SHA256

722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d
SHA512

8ed9e7fa921b1c75ac6aec5016c138f213b0ff6341d263783d716db530da076794336bc02d6c9b141850d0250bf11b60d0ac401425dbfd13d8904a359284fb85
SSDEEP

6144:9NYLVv8Annhw3I54dDhfZfx6k/ZuCsmK4XShgtf:tIidDBZflr

Score

10^/10

colibri warzonerat build1 infostealer loader persistence rat

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Extracted

Family

warzonerat

darkfox.ddns.net:443

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1036-140-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral2/memory/1036-142-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral2/memory/1036-144-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral2/memory/1036-149-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral2/memory/4560-154-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral2/memory/4560-155-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral2/memory/4560-158-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat

Executes dropped EXE 4 IoCs

Processes:

conhost.execonhost.exeMSCommonDriver.exeMSCommonDriver.exe

pid process

1096 conhost.exe
1732 conhost.exe
3604 MSCommonDriver.exe
4560 MSCommonDriver.exe

pid	process
1096	conhost.exe
1732	conhost.exe
3604	MSCommonDriver.exe
4560	MSCommonDriver.exe

Drops startup file 2 IoCs

Processes:

jfilyg7.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	jfilyg7.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	jfilyg7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry

Processes:

jfilyg7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSCommonDriver = "C:\\Users\\Admin\\Documents\\MSCommonDriver.exe"	jfilyg7.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

conhost.exejfilyg7.exeMSCommonDriver.exe

description	pid	process	target process
PID 1096 set thread context of 1732	1096	conhost.exe	conhost.exe
PID 4532 set thread context of 1036	4532	jfilyg7.exe	jfilyg7.exe
PID 3604 set thread context of 4560	3604	MSCommonDriver.exe	MSCommonDriver.exe

NTFS ADS 1 IoCs

Processes:

jfilyg7.exe

description ioc process

File created C:\Users\Admin\Documents\Documents:ApplicationData jfilyg7.exe

description	ioc	process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	jfilyg7.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

jfilyg7.execonhost.exejfilyg7.exeMSCommonDriver.exeMSCommonDriver.exe

description	pid	process	target process
PID 4532 wrote to memory of 1096	4532	jfilyg7.exe	conhost.exe
PID 4532 wrote to memory of 1096	4532	jfilyg7.exe	conhost.exe
PID 4532 wrote to memory of 1096	4532	jfilyg7.exe	conhost.exe
PID 1096 wrote to memory of 1732	1096	conhost.exe	conhost.exe
PID 1096 wrote to memory of 1732	1096	conhost.exe	conhost.exe
PID 1096 wrote to memory of 1732	1096	conhost.exe	conhost.exe
PID 4532 wrote to memory of 1036	4532	jfilyg7.exe	jfilyg7.exe
PID 4532 wrote to memory of 1036	4532	jfilyg7.exe	jfilyg7.exe
PID 4532 wrote to memory of 1036	4532	jfilyg7.exe	jfilyg7.exe
PID 1096 wrote to memory of 1732	1096	conhost.exe	conhost.exe
PID 1096 wrote to memory of 1732	1096	conhost.exe	conhost.exe
PID 1096 wrote to memory of 1732	1096	conhost.exe	conhost.exe
PID 1096 wrote to memory of 1732	1096	conhost.exe	conhost.exe
PID 4532 wrote to memory of 1036	4532	jfilyg7.exe	jfilyg7.exe
PID 4532 wrote to memory of 1036	4532	jfilyg7.exe	jfilyg7.exe
PID 4532 wrote to memory of 1036	4532	jfilyg7.exe	jfilyg7.exe
PID 4532 wrote to memory of 1036	4532	jfilyg7.exe	jfilyg7.exe
PID 4532 wrote to memory of 1036	4532	jfilyg7.exe	jfilyg7.exe
PID 4532 wrote to memory of 1036	4532	jfilyg7.exe	jfilyg7.exe
PID 4532 wrote to memory of 1036	4532	jfilyg7.exe	jfilyg7.exe
PID 4532 wrote to memory of 1036	4532	jfilyg7.exe	jfilyg7.exe
PID 1036 wrote to memory of 3604	1036	jfilyg7.exe	MSCommonDriver.exe
PID 1036 wrote to memory of 3604	1036	jfilyg7.exe	MSCommonDriver.exe
PID 1036 wrote to memory of 3604	1036	jfilyg7.exe	MSCommonDriver.exe
PID 3604 wrote to memory of 4560	3604	MSCommonDriver.exe	MSCommonDriver.exe
PID 3604 wrote to memory of 4560	3604	MSCommonDriver.exe	MSCommonDriver.exe
PID 3604 wrote to memory of 4560	3604	MSCommonDriver.exe	MSCommonDriver.exe
PID 3604 wrote to memory of 4560	3604	MSCommonDriver.exe	MSCommonDriver.exe
PID 3604 wrote to memory of 4560	3604	MSCommonDriver.exe	MSCommonDriver.exe
PID 3604 wrote to memory of 4560	3604	MSCommonDriver.exe	MSCommonDriver.exe
PID 3604 wrote to memory of 4560	3604	MSCommonDriver.exe	MSCommonDriver.exe
PID 3604 wrote to memory of 4560	3604	MSCommonDriver.exe	MSCommonDriver.exe
PID 3604 wrote to memory of 4560	3604	MSCommonDriver.exe	MSCommonDriver.exe
PID 3604 wrote to memory of 4560	3604	MSCommonDriver.exe	MSCommonDriver.exe
PID 3604 wrote to memory of 4560	3604	MSCommonDriver.exe	MSCommonDriver.exe
PID 4560 wrote to memory of 5088	4560	MSCommonDriver.exe	cmd.exe
PID 4560 wrote to memory of 5088	4560	MSCommonDriver.exe	cmd.exe
PID 4560 wrote to memory of 5088	4560	MSCommonDriver.exe	cmd.exe
PID 4560 wrote to memory of 5088	4560	MSCommonDriver.exe	cmd.exe
PID 4560 wrote to memory of 5088	4560	MSCommonDriver.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\jfilyg7.exe

"C:\Users\Admin\AppData\Local\Temp\jfilyg7.exe"

Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:4532

C:\ProgramData\conhost.exe

"C:\ProgramData\conhost.exe"

Executes dropped EXE
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:1096

C:\ProgramData\conhost.exe

"C:\ProgramData\conhost.exe"

Executes dropped EXE

PID:1732

C:\Users\Admin\AppData\Local\Temp\jfilyg7.exe

"C:\Users\Admin\AppData\Local\Temp\jfilyg7.exe"

Drops startup file
Adds Run key to start application
NTFS ADS
Suspicious use of WriteProcessMemory

PID:1036

C:\Users\Admin\Documents\MSCommonDriver.exe

"C:\Users\Admin\Documents\MSCommonDriver.exe"

Executes dropped EXE
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:3604

C:\Users\Admin\Documents\MSCommonDriver.exe

"C:\Users\Admin\Documents\MSCommonDriver.exe"

Executes dropped EXE
Suspicious use of WriteProcessMemory

PID:4560

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

PID:5088

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

T1112

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\ProgramData\conhost.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\ProgramData\conhost.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\ProgramData\conhost.exe
Filesize
52KB

MD5
d8e1495b46cded57eb1423b8bb789834

SHA1
db64bc20550e51c602dbb92d07c8f02842efebcc

SHA256
aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8

SHA512
8b785d7f8d5fdf12dd9a5414050d403e861fd3f9ac09bceebc57b2f178c6f145389783ed1035b5e6f9b627b3d4d978f3ad9bf8195d92e20f585ef92667e4cabb

Download Submit
C:\Users\Admin\Documents\MSCommonDriver.exe
Filesize
383KB

MD5
96b5dcad2ade88e0c99e84b4869224e7

SHA1
f23d4988ca9ef6fcf9e219dd249eff9988d5f7c5

SHA256
722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d

SHA512
8ed9e7fa921b1c75ac6aec5016c138f213b0ff6341d263783d716db530da076794336bc02d6c9b141850d0250bf11b60d0ac401425dbfd13d8904a359284fb85

Download Submit
C:\Users\Admin\Documents\MSCommonDriver.exe
Filesize
383KB

MD5
96b5dcad2ade88e0c99e84b4869224e7

SHA1
f23d4988ca9ef6fcf9e219dd249eff9988d5f7c5

SHA256
722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d

SHA512
8ed9e7fa921b1c75ac6aec5016c138f213b0ff6341d263783d716db530da076794336bc02d6c9b141850d0250bf11b60d0ac401425dbfd13d8904a359284fb85

Download Submit
C:\Users\Admin\Documents\MSCommonDriver.exe
Filesize
383KB

MD5
96b5dcad2ade88e0c99e84b4869224e7

SHA1
f23d4988ca9ef6fcf9e219dd249eff9988d5f7c5

SHA256
722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d

SHA512
8ed9e7fa921b1c75ac6aec5016c138f213b0ff6341d263783d716db530da076794336bc02d6c9b141850d0250bf11b60d0ac401425dbfd13d8904a359284fb85

Download Submit
memory/1036-149-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1MB

Download
memory/1036-140-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1MB

Download
memory/1036-142-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1MB

Download
memory/1036-137-0x0000000000000000-mapping.dmp

Download
memory/1036-144-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1MB

Download
memory/1096-132-0x0000000000000000-mapping.dmp

Download
memory/1732-143-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1732-136-0x0000000000000000-mapping.dmp

Download
memory/1732-138-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3604-145-0x0000000000000000-mapping.dmp

Download
memory/3604-148-0x0000000000DD6000-0x0000000000DE4000-memory.dmp

Filesize
56KB

Download
memory/4532-133-0x0000000000F86000-0x0000000000F94000-memory.dmp

Filesize
56KB

Download
memory/4560-150-0x0000000000000000-mapping.dmp

Download
memory/4560-154-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1MB

Download
memory/4560-155-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1MB

Download
memory/4560-158-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1MB

Download
memory/5088-156-0x0000000000000000-mapping.dmp

Download
memory/5088-157-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download