Malware Analysis Report

2025-08-11 01:39

Sample ID 230224-bs3vzsbf81
Target 49ff2c2f0c21aa26f9ee4357241cdd347278ebacb5f343e34e71b431c891f7b7
SHA256 49ff2c2f0c21aa26f9ee4357241cdd347278ebacb5f343e34e71b431c891f7b7
Tags
warzonerat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

49ff2c2f0c21aa26f9ee4357241cdd347278ebacb5f343e34e71b431c891f7b7

Threat Level: Known bad

The file 49ff2c2f0c21aa26f9ee4357241cdd347278ebacb5f343e34e71b431c891f7b7 was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer persistence rat

WarzoneRat, AveMaria

Warzone RAT payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-24 01:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-24 01:25

Reported

2023-02-24 01:27

Platform

win10v2004-20230220-en

Max time kernel

63s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49ff2c2f0c21aa26f9ee4357241cdd347278ebacb5f343e34e71b431c891f7b7.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbhbm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbhbm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foktcx = "C:\\Users\\Admin\\AppData\\Roaming\\gxtmir\\nwgcluqav.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\vbhbm.exe\" C:\\Users\\Admin\\AppData\\Local\\Tem" C:\Users\Admin\AppData\Local\Temp\vbhbm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 840 set thread context of 3080 N/A C:\Users\Admin\AppData\Local\Temp\vbhbm.exe C:\Users\Admin\AppData\Local\Temp\vbhbm.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbhbm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbhbm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\49ff2c2f0c21aa26f9ee4357241cdd347278ebacb5f343e34e71b431c891f7b7.exe

"C:\Users\Admin\AppData\Local\Temp\49ff2c2f0c21aa26f9ee4357241cdd347278ebacb5f343e34e71b431c891f7b7.exe"

C:\Users\Admin\AppData\Local\Temp\vbhbm.exe

"C:\Users\Admin\AppData\Local\Temp\vbhbm.exe" C:\Users\Admin\AppData\Local\Temp\gagsrkdsng.c

C:\Users\Admin\AppData\Local\Temp\vbhbm.exe

"C:\Users\Admin\AppData\Local\Temp\vbhbm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 blackroots7.duckdns.org udp
NL 45.132.106.37:1104 blackroots7.duckdns.org tcp
US 8.8.8.8:53 37.106.132.45.in-addr.arpa udp
US 13.89.179.9:443 tcp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\vbhbm.exe

MD5 e6b5f97b8f2e47169725e611f72c03e5
SHA1 dc355e2727ea340dd71e578883ea8857564cacbf
SHA256 6626caf5bfc3fb98ee20be19ea79c2d9d246d9f33e9804dc90fe96d762908de5
SHA512 b41ed29c7f03dfdd62111206d293d27522020944c0f815823ebabcabdf131924aa3f40e60d6589ddf6dbab6be49f2ada599606a1779d0645c001f066a9b58baa

C:\Users\Admin\AppData\Local\Temp\vbhbm.exe

MD5 e6b5f97b8f2e47169725e611f72c03e5
SHA1 dc355e2727ea340dd71e578883ea8857564cacbf
SHA256 6626caf5bfc3fb98ee20be19ea79c2d9d246d9f33e9804dc90fe96d762908de5
SHA512 b41ed29c7f03dfdd62111206d293d27522020944c0f815823ebabcabdf131924aa3f40e60d6589ddf6dbab6be49f2ada599606a1779d0645c001f066a9b58baa

C:\Users\Admin\AppData\Local\Temp\gagsrkdsng.c

MD5 7230a8526dfd97fc0171610a1e8508d3
SHA1 860cccd21d7703864155e647c46698893315ec83
SHA256 458074b370023aabeaab76f9ff9719a8e4d7eb943345ffa5740befd061814cd4
SHA512 35f8c01e51d7ed7a789089737088f45540907d2824107cd77717133dececd0cff2a531e2ee0898d35479e738bcf36da02e6fb684ec919e1e9ce459d1cd243e10

memory/840-140-0x0000000000C20000-0x0000000000C22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wbhjv.aj

MD5 37bda11fd17a78077fe3810e7019bcc3
SHA1 4dc3f5a97f3b0702885f9f5443ed54cc16c5dfe5
SHA256 8f5ef1f11eb3fbaa3fc2e1557fa88fa72be6a75c4cf750456aa2eaddf05da034
SHA512 594ad3042f20cdd73d41998542dd5eac18ed3f7a1acfcf549b0ffba5b0a5796d887fa1aaa5d676ff80b6bd6ec280beaf40171ab6eefa023f705b9e043ab9781b

memory/3080-143-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbhbm.exe

MD5 e6b5f97b8f2e47169725e611f72c03e5
SHA1 dc355e2727ea340dd71e578883ea8857564cacbf
SHA256 6626caf5bfc3fb98ee20be19ea79c2d9d246d9f33e9804dc90fe96d762908de5
SHA512 b41ed29c7f03dfdd62111206d293d27522020944c0f815823ebabcabdf131924aa3f40e60d6589ddf6dbab6be49f2ada599606a1779d0645c001f066a9b58baa

memory/3080-146-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3080-148-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3080-149-0x0000000000400000-0x000000000041D000-memory.dmp