Malware Analysis Report

2025-08-11 01:38

Sample ID 230224-rwvlsahf85
Target 28c462381899d5a4f67656944b6025f9.exe
SHA256 da029a807d20d6ab41299ae370424cc78fab56d7ee97d11f1156f4e99e54c87a
Tags
warzonerat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da029a807d20d6ab41299ae370424cc78fab56d7ee97d11f1156f4e99e54c87a

Threat Level: Known bad

The file 28c462381899d5a4f67656944b6025f9.exe was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer persistence rat

WarzoneRat, AveMaria

Warzone RAT payload

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-24 14:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-24 14:33

Reported

2023-02-24 14:35

Platform

win7-20230220-en

Max time kernel

28s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28c462381899d5a4f67656944b6025f9.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28c462381899d5a4f67656944b6025f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\iqmvfbk = "C:\\Users\\Admin\\AppData\\Roaming\\vfoktpyiemvrb\\wgplueajfoxtdm.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\avxyq.exe\" C:\\Users\\Admin\\AppDa" C:\Users\Admin\AppData\Local\Temp\avxyq.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1480 set thread context of 1028 N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe C:\Users\Admin\AppData\Local\Temp\avxyq.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\28c462381899d5a4f67656944b6025f9.exe

"C:\Users\Admin\AppData\Local\Temp\28c462381899d5a4f67656944b6025f9.exe"

C:\Users\Admin\AppData\Local\Temp\avxyq.exe

"C:\Users\Admin\AppData\Local\Temp\avxyq.exe" C:\Users\Admin\AppData\Local\Temp\efkmzemi.oij

C:\Users\Admin\AppData\Local\Temp\avxyq.exe

"C:\Users\Admin\AppData\Local\Temp\avxyq.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 blackroots7.duckdns.org udp
NL 45.132.106.37:1104 blackroots7.duckdns.org tcp

Files

\Users\Admin\AppData\Local\Temp\avxyq.exe

MD5 156ed6700ef54cfa83a1a220e842a328
SHA1 3cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256 d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512 c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b

C:\Users\Admin\AppData\Local\Temp\avxyq.exe

MD5 156ed6700ef54cfa83a1a220e842a328
SHA1 3cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256 d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512 c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b

C:\Users\Admin\AppData\Local\Temp\efkmzemi.oij

MD5 6bd6d3f8e44429f2be3e2d45bb17f2f2
SHA1 76e8137a69cb6b15ff0194d67e1fb91aa0e9aed0
SHA256 74538cb526634df66399cba1d4fddc07427059fd81842160ee52aee8b33feff8
SHA512 f142917a41e9d5de39e6818c660c569a9e3b3db96d22c5af2e273a2d5045976593c805d7266a8d4545eb013461c24159b7f70aa3cf405cb1c8cde44a3e26ae0e

C:\Users\Admin\AppData\Local\Temp\narwbaekgvw.wt

MD5 bbaa20f28881493009df30cd773b0cc5
SHA1 ac779c0fd7e238a79720d29e837755b011770710
SHA256 0d3de13a7c6651962965e736e1b44d6fb299b53dc7267cdbbd3170d2fa77b07b
SHA512 1d4ef3750936f99778aab04ad81b774cadcb966f08e73a6be935896e81b9ff45e7b3e519391ce54935dae56654b809e8391a9f03d5721956b5d051256cad6242

C:\Users\Admin\AppData\Local\Temp\avxyq.exe

MD5 156ed6700ef54cfa83a1a220e842a328
SHA1 3cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256 d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512 c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b

\Users\Admin\AppData\Local\Temp\avxyq.exe

MD5 156ed6700ef54cfa83a1a220e842a328
SHA1 3cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256 d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512 c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b

memory/1028-66-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\avxyq.exe

MD5 156ed6700ef54cfa83a1a220e842a328
SHA1 3cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256 d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512 c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b

memory/1028-70-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1028-71-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1028-72-0x0000000000400000-0x000000000041D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-24 14:33

Reported

2023-02-24 14:35

Platform

win10v2004-20230220-en

Max time kernel

99s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28c462381899d5a4f67656944b6025f9.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iqmvfbk = "C:\\Users\\Admin\\AppData\\Roaming\\vfoktpyiemvrb\\wgplueajfoxtdm.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\avxyq.exe\" C:\\Users\\Admin\\AppD視" C:\Users\Admin\AppData\Local\Temp\avxyq.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3540 set thread context of 3916 N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe C:\Users\Admin\AppData\Local\Temp\avxyq.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\avxyq.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\avxyq.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\28c462381899d5a4f67656944b6025f9.exe

"C:\Users\Admin\AppData\Local\Temp\28c462381899d5a4f67656944b6025f9.exe"

C:\Users\Admin\AppData\Local\Temp\avxyq.exe

"C:\Users\Admin\AppData\Local\Temp\avxyq.exe" C:\Users\Admin\AppData\Local\Temp\efkmzemi.oij

C:\Users\Admin\AppData\Local\Temp\avxyq.exe

"C:\Users\Admin\AppData\Local\Temp\avxyq.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3916 -ip 3916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 496

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
NL 84.53.175.11:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\avxyq.exe

MD5 156ed6700ef54cfa83a1a220e842a328
SHA1 3cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256 d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512 c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b

C:\Users\Admin\AppData\Local\Temp\avxyq.exe

MD5 156ed6700ef54cfa83a1a220e842a328
SHA1 3cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256 d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512 c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b

C:\Users\Admin\AppData\Local\Temp\efkmzemi.oij

MD5 6bd6d3f8e44429f2be3e2d45bb17f2f2
SHA1 76e8137a69cb6b15ff0194d67e1fb91aa0e9aed0
SHA256 74538cb526634df66399cba1d4fddc07427059fd81842160ee52aee8b33feff8
SHA512 f142917a41e9d5de39e6818c660c569a9e3b3db96d22c5af2e273a2d5045976593c805d7266a8d4545eb013461c24159b7f70aa3cf405cb1c8cde44a3e26ae0e

memory/3540-140-0x00000000012B0000-0x00000000012B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\narwbaekgvw.wt

MD5 bbaa20f28881493009df30cd773b0cc5
SHA1 ac779c0fd7e238a79720d29e837755b011770710
SHA256 0d3de13a7c6651962965e736e1b44d6fb299b53dc7267cdbbd3170d2fa77b07b
SHA512 1d4ef3750936f99778aab04ad81b774cadcb966f08e73a6be935896e81b9ff45e7b3e519391ce54935dae56654b809e8391a9f03d5721956b5d051256cad6242

memory/3916-143-0x0000000000500000-0x000000000051D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\avxyq.exe

MD5 156ed6700ef54cfa83a1a220e842a328
SHA1 3cebd8e30387e6fbcd235dfd5f38240e660a2fc7
SHA256 d331afaea61b2e228760e493dc3849c1161a782d1dae1a7098262c0983bf6f11
SHA512 c5ee0c10641837707b5b0d034e7fa50891ca45968a7e360e7970e9ab4ff2f66132c75a2a72db8d50511b1ef9366bc5deeae73f9ce744ca583eaf445d69b6608b

memory/3916-150-0x0000000000500000-0x000000000051D000-memory.dmp

memory/3916-156-0x0000000000500000-0x000000000051D000-memory.dmp