Analysis
-
max time kernel
135s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2023, 08:42
Static task
static1
Behavioral task
behavioral1
Sample
RFQ.exe
Resource
win7-20230220-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
RFQ.exe
Resource
win10v2004-20230221-en
5 signatures
150 seconds
General
-
Target
RFQ.exe
-
Size
355KB
-
MD5
f734c6433f83441b57db89f3c37b21e8
-
SHA1
d5f26eb382cd9ad2a220a35b2eadfed2b49007f0
-
SHA256
c353f375242393a8bc42afcfa590ce13ddf30a4b2b881e47ddf9fa621a677ac0
-
SHA512
d5f464bebab1f08d6ea1a792fccc0f02b00aa8a49c73755128e2eccec3b5e95a9339027e63d5f0b8f98d404dc4e2b8376970e9ea324ef2076e0a78a2f8c6ac1e
-
SSDEEP
6144:l69Syfirb6DYPrRPANmynocmBWwGorbGLAsND8k6PNofp8aAPwX3MmI:lrGquDYD2Nmyn5mHGorbGLAsQiOaAInv
Score
10/10
Malware Config
Extracted
Family
warzonerat
C2
185.29.9.20:5200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 3 IoCs
resource yara_rule behavioral2/memory/1904-140-0x0000000000720000-0x000000000087C000-memory.dmp warzonerat behavioral2/memory/1904-145-0x0000000000720000-0x000000000087C000-memory.dmp warzonerat behavioral2/memory/1904-150-0x0000000000720000-0x000000000087C000-memory.dmp warzonerat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3524 set thread context of 1904 3524 RFQ.exe 84 -
Program crash 1 IoCs
pid pid_target Process procid_target 2892 1904 WerFault.exe 84 -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3524 wrote to memory of 1904 3524 RFQ.exe 84 PID 3524 wrote to memory of 1904 3524 RFQ.exe 84 PID 3524 wrote to memory of 1904 3524 RFQ.exe 84 PID 3524 wrote to memory of 1904 3524 RFQ.exe 84 PID 3524 wrote to memory of 1904 3524 RFQ.exe 84 PID 3524 wrote to memory of 1904 3524 RFQ.exe 84 PID 3524 wrote to memory of 1904 3524 RFQ.exe 84 PID 3524 wrote to memory of 1904 3524 RFQ.exe 84 PID 3524 wrote to memory of 1904 3524 RFQ.exe 84 PID 3524 wrote to memory of 1904 3524 RFQ.exe 84 PID 3524 wrote to memory of 1904 3524 RFQ.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"2⤵PID:1904
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 5443⤵
- Program crash
PID:2892
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1904 -ip 19041⤵PID:2056