Malware Analysis Report

2025-08-05 21:34

Sample ID 230329-kl1xgsfe62
Target RFQ.exe
SHA256 c353f375242393a8bc42afcfa590ce13ddf30a4b2b881e47ddf9fa621a677ac0
Tags
warzonerat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c353f375242393a8bc42afcfa590ce13ddf30a4b2b881e47ddf9fa621a677ac0

Threat Level: Known bad

The file RFQ.exe was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer persistence rat

WarzoneRat, AveMaria

Warzone RAT payload

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-29 08:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-29 08:42

Reported

2023-03-29 08:44

Platform

win7-20230220-en

Max time kernel

150s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\recycling.exe N/A
N/A N/A C:\Users\Admin\Documents\recycling.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\recycling = "C:\\Users\\Admin\\Documents\\recycling.exe" C:\Users\Admin\AppData\Local\Temp\RFQ.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1972 set thread context of 1936 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.exe C:\Users\Admin\AppData\Local\Temp\RFQ.exe
PID 568 set thread context of 960 N/A C:\Users\Admin\Documents\recycling.exe C:\Users\Admin\Documents\recycling.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.exe C:\Users\Admin\AppData\Local\Temp\RFQ.exe
PID 1972 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.exe C:\Users\Admin\AppData\Local\Temp\RFQ.exe
PID 1972 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.exe C:\Users\Admin\AppData\Local\Temp\RFQ.exe
PID 1972 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.exe C:\Users\Admin\AppData\Local\Temp\RFQ.exe
PID 1972 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.exe C:\Users\Admin\AppData\Local\Temp\RFQ.exe
PID 1972 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.exe C:\Users\Admin\AppData\Local\Temp\RFQ.exe
PID 1972 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.exe C:\Users\Admin\AppData\Local\Temp\RFQ.exe
PID 1972 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.exe C:\Users\Admin\AppData\Local\Temp\RFQ.exe
PID 1972 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.exe C:\Users\Admin\AppData\Local\Temp\RFQ.exe
PID 1972 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.exe C:\Users\Admin\AppData\Local\Temp\RFQ.exe
PID 1972 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.exe C:\Users\Admin\AppData\Local\Temp\RFQ.exe
PID 1972 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.exe C:\Users\Admin\AppData\Local\Temp\RFQ.exe
PID 1936 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.exe C:\Users\Admin\Documents\recycling.exe
PID 1936 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.exe C:\Users\Admin\Documents\recycling.exe
PID 1936 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.exe C:\Users\Admin\Documents\recycling.exe
PID 1936 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.exe C:\Users\Admin\Documents\recycling.exe
PID 568 wrote to memory of 960 N/A C:\Users\Admin\Documents\recycling.exe C:\Users\Admin\Documents\recycling.exe
PID 568 wrote to memory of 960 N/A C:\Users\Admin\Documents\recycling.exe C:\Users\Admin\Documents\recycling.exe
PID 568 wrote to memory of 960 N/A C:\Users\Admin\Documents\recycling.exe C:\Users\Admin\Documents\recycling.exe
PID 568 wrote to memory of 960 N/A C:\Users\Admin\Documents\recycling.exe C:\Users\Admin\Documents\recycling.exe
PID 568 wrote to memory of 960 N/A C:\Users\Admin\Documents\recycling.exe C:\Users\Admin\Documents\recycling.exe
PID 568 wrote to memory of 960 N/A C:\Users\Admin\Documents\recycling.exe C:\Users\Admin\Documents\recycling.exe
PID 568 wrote to memory of 960 N/A C:\Users\Admin\Documents\recycling.exe C:\Users\Admin\Documents\recycling.exe
PID 568 wrote to memory of 960 N/A C:\Users\Admin\Documents\recycling.exe C:\Users\Admin\Documents\recycling.exe
PID 568 wrote to memory of 960 N/A C:\Users\Admin\Documents\recycling.exe C:\Users\Admin\Documents\recycling.exe
PID 568 wrote to memory of 960 N/A C:\Users\Admin\Documents\recycling.exe C:\Users\Admin\Documents\recycling.exe
PID 568 wrote to memory of 960 N/A C:\Users\Admin\Documents\recycling.exe C:\Users\Admin\Documents\recycling.exe
PID 568 wrote to memory of 960 N/A C:\Users\Admin\Documents\recycling.exe C:\Users\Admin\Documents\recycling.exe
PID 960 wrote to memory of 732 N/A C:\Users\Admin\Documents\recycling.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 732 N/A C:\Users\Admin\Documents\recycling.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 732 N/A C:\Users\Admin\Documents\recycling.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 732 N/A C:\Users\Admin\Documents\recycling.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 732 N/A C:\Users\Admin\Documents\recycling.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 732 N/A C:\Users\Admin\Documents\recycling.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RFQ.exe

"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"

C:\Users\Admin\AppData\Local\Temp\RFQ.exe

"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"

C:\Users\Admin\Documents\recycling.exe

"C:\Users\Admin\Documents\recycling.exe"

C:\Users\Admin\Documents\recycling.exe

"C:\Users\Admin\Documents\recycling.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
N/A 185.29.9.20:5200 tcp

Files

memory/1972-54-0x00000000008C0000-0x000000000091E000-memory.dmp

memory/1972-55-0x0000000004350000-0x0000000004390000-memory.dmp

memory/1972-56-0x0000000000290000-0x00000000002BE000-memory.dmp

memory/1936-57-0x0000000000080000-0x00000000001DC000-memory.dmp

memory/1936-58-0x0000000000080000-0x00000000001DC000-memory.dmp

memory/1936-59-0x0000000000080000-0x00000000001DC000-memory.dmp

memory/1936-60-0x0000000000080000-0x00000000001DC000-memory.dmp

memory/1936-61-0x0000000000080000-0x00000000001DC000-memory.dmp

memory/1936-62-0x0000000000080000-0x00000000001DC000-memory.dmp

memory/1936-63-0x0000000000080000-0x00000000001DC000-memory.dmp

memory/1936-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1936-66-0x0000000000080000-0x00000000001DC000-memory.dmp

memory/1936-71-0x0000000000080000-0x00000000001DC000-memory.dmp

memory/1936-76-0x0000000000080000-0x00000000001DC000-memory.dmp

\Users\Admin\Documents\recycling.exe

MD5 f734c6433f83441b57db89f3c37b21e8
SHA1 d5f26eb382cd9ad2a220a35b2eadfed2b49007f0
SHA256 c353f375242393a8bc42afcfa590ce13ddf30a4b2b881e47ddf9fa621a677ac0
SHA512 d5f464bebab1f08d6ea1a792fccc0f02b00aa8a49c73755128e2eccec3b5e95a9339027e63d5f0b8f98d404dc4e2b8376970e9ea324ef2076e0a78a2f8c6ac1e

C:\Users\Admin\Documents\recycling.exe

MD5 f734c6433f83441b57db89f3c37b21e8
SHA1 d5f26eb382cd9ad2a220a35b2eadfed2b49007f0
SHA256 c353f375242393a8bc42afcfa590ce13ddf30a4b2b881e47ddf9fa621a677ac0
SHA512 d5f464bebab1f08d6ea1a792fccc0f02b00aa8a49c73755128e2eccec3b5e95a9339027e63d5f0b8f98d404dc4e2b8376970e9ea324ef2076e0a78a2f8c6ac1e

C:\Users\Admin\Documents\recycling.exe

MD5 f734c6433f83441b57db89f3c37b21e8
SHA1 d5f26eb382cd9ad2a220a35b2eadfed2b49007f0
SHA256 c353f375242393a8bc42afcfa590ce13ddf30a4b2b881e47ddf9fa621a677ac0
SHA512 d5f464bebab1f08d6ea1a792fccc0f02b00aa8a49c73755128e2eccec3b5e95a9339027e63d5f0b8f98d404dc4e2b8376970e9ea324ef2076e0a78a2f8c6ac1e

memory/568-83-0x00000000003C0000-0x000000000041E000-memory.dmp

memory/568-84-0x0000000004240000-0x0000000004280000-memory.dmp

memory/960-92-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\Documents\recycling.exe

MD5 f734c6433f83441b57db89f3c37b21e8
SHA1 d5f26eb382cd9ad2a220a35b2eadfed2b49007f0
SHA256 c353f375242393a8bc42afcfa590ce13ddf30a4b2b881e47ddf9fa621a677ac0
SHA512 d5f464bebab1f08d6ea1a792fccc0f02b00aa8a49c73755128e2eccec3b5e95a9339027e63d5f0b8f98d404dc4e2b8376970e9ea324ef2076e0a78a2f8c6ac1e

memory/960-99-0x0000000000230000-0x000000000038C000-memory.dmp

memory/960-104-0x0000000000230000-0x000000000038C000-memory.dmp

memory/732-105-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/732-106-0x00000000001F0000-0x00000000001F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-29 08:42

Reported

2023-03-29 08:44

Platform

win10v2004-20230221-en

Max time kernel

135s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3524 set thread context of 1904 N/A C:\Users\Admin\AppData\Local\Temp\RFQ.exe C:\Users\Admin\AppData\Local\Temp\RFQ.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\RFQ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RFQ.exe

"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"

C:\Users\Admin\AppData\Local\Temp\RFQ.exe

"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1904 -ip 1904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 544

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 52.152.110.14:443 tcp
IE 20.50.73.9:443 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.248.3.254:80 tcp
US 8.248.3.254:80 tcp
US 52.152.110.14:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

memory/3524-133-0x00000000004A0000-0x00000000004FE000-memory.dmp

memory/3524-134-0x0000000005420000-0x00000000059C4000-memory.dmp

memory/3524-135-0x0000000004F10000-0x0000000004FA2000-memory.dmp

memory/3524-136-0x0000000004E60000-0x0000000004E70000-memory.dmp

memory/3524-137-0x0000000004FB0000-0x0000000005016000-memory.dmp

memory/1904-140-0x0000000000720000-0x000000000087C000-memory.dmp

memory/1904-145-0x0000000000720000-0x000000000087C000-memory.dmp

memory/1904-150-0x0000000000720000-0x000000000087C000-memory.dmp