Overview

overview

10

Static

static

3

00d1ab5309...7c.exe

windows7-x64

10

00d1ab5309...7c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    25-05-2023 02:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00d1ab5309b9fa1fd4a03ee45cf68b7c.exe

  • Size

    150KB

  • MD5

    00d1ab5309b9fa1fd4a03ee45cf68b7c

  • SHA1

    a42e1cbb962f50e08d65bc4720d343da917324ce

  • SHA256

    0c79b94bb739d4770b3fc803a83dffeea129db0b293b4ff5ca923fc5597785a4

  • SHA512

    53edc178e98e45e8338995f3548aac3107b5da32352a27cdb6d271426fd46e8ca3af0a8b0611dac3a235efd7a19ff92a82577c6be2fcd68cc12ec3614931fc1d

  • SSDEEP

    3072:3fY/TU9fE9PEtu6xbXI5XYXsjQeNYGGzzfbe1IKKbpSjfxCcY4e/75XBhsFJzb78:vYa6cIYXsjQeNYGGnbelcpOxCcLS9xhD

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

healings.duckdns.org:7722

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 4 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00d1ab5309b9fa1fd4a03ee45cf68b7c.exe
    "C:\Users\Admin\AppData\Local\Temp\00d1ab5309b9fa1fd4a03ee45cf68b7c.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Users\Admin\AppData\Local\Temp\00d1ab5309b9fa1fd4a03ee45cf68b7c.exe
      "C:\Users\Admin\AppData\Local\Temp\00d1ab5309b9fa1fd4a03ee45cf68b7c.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:2044

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nso35E.tmp\fdxxk.dll
    Filesize

    4KB

    MD5

    00967f769ee377f027bb48733a19a3a8

    SHA1

    2cda5fcec2df7e41ff668b0dc41df285940de5c7

    SHA256

    0c2e7f4e19b7a5254ae364b18dd803a3d46b3678fd93740dbd7fdfbf421028a0

    SHA512

    c99ac18a0e00c82ffa1469bcd67aa0d36122d7feaf10942c1b78ca96640a0ab1beb95651a1f79108199616312bf1d7119cbcbf6af9a08ae09c277c02f9d32876

    Download Submit

  • memory/2044-63-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2044-65-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2044-66-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2044-67-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

    Download