General
-
Target
License.exe
-
Size
132KB
-
MD5
3fe2c67520f94b0c9d1221d7421b334a
-
SHA1
28b16d233707cbf268f438327b77a3f57bf5ad88
-
SHA256
7092b115b53bf71085e81d38ce313077f8f508f930295cfa73fa8d93a5bd1868
-
SHA512
a15fab2d996266c9a3d85ee85ea9eb107aeef525e3df422471637c68805454cfdd2188d59965e77e9c5079a57f3ce260f94cdb6f75cf56b247f62a8fc482a75f
-
SSDEEP
3072:K7W9jps0Tx4azG6GweOTir5axbjNCz45LT7a:KwpsERzGKurEXCzeLT7a
Malware Config
Extracted
warzonerat
Sanael-62946.portmap.host:62946
Signatures
-
Warzone RAT payload 1 IoCs
resource yara_rule sample warzonerat -
Warzonerat family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource License.exe
Files
-
License.exe.exe windows x86
56fc94e02d7bc310030753938e49a91a
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
webservices
WsFileTimeToDateTime
bcrypt
BCryptSetProperty
BCryptGenerateSymmetricKey
BCryptOpenAlgorithmProvider
BCryptDecrypt
kernel32
lstrcpyW
GetTickCount
HeapAlloc
GetProcessHeap
GetCommandLineA
GetStartupInfoA
HeapFree
VirtualAlloc
HeapReAlloc
VirtualQuery
LocalAlloc
LocalFree
SystemTimeToFileTime
TerminateThread
CreateThread
WriteProcessMemory
GetCurrentProcess
OpenProcess
GetWindowsDirectoryA
VirtualProtectEx
VirtualAllocEx
CreateRemoteThread
GetModuleHandleW
IsWow64Process
WriteFile
CreateFileW
LoadLibraryW
GetLocalTime
GetCurrentThreadId
GetCurrentProcessId
ReadFile
FindFirstFileA
GetBinaryTypeW
FindNextFileA
GetFullPathNameA
CreateFileA
GlobalAlloc
GetCurrentDirectoryW
lstrcmpA
GetFileSize
FreeLibrary
SetDllDirectoryW
GetFileSizeEx
WaitForSingleObject
WaitForMultipleObjects
CreatePipe
PeekNamedPipe
DuplicateHandle
SetEvent
CreateProcessW
CreateEventA
GetModuleFileNameW
WideCharToMultiByte
LoadResource
FindResourceW
GetComputerNameW
GlobalMemoryStatusEx
LoadLibraryExW
FindFirstFileW
FindNextFileW
SetFilePointer
GetLogicalDriveStringsW
CopyFileW
GetDriveTypeW
EnterCriticalSection
LeaveCriticalSection
lstrlenA
DeleteCriticalSection
CreateMutexA
ReleaseMutex
TerminateProcess
K32GetModuleFileNameExW
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
DeleteFileW
SizeofResource
VirtualProtect
GetSystemDirectoryW
LockResource
GetWindowsDirectoryW
Process32First
Process32Next
GetTempPathA
ExpandEnvironmentStringsW
lstrlenW
lstrcmpW
CreateProcessA
WinExec
ExitProcess
GetProcAddress
lstrcpyA
CloseHandle
lstrcatW
LoadLibraryA
GetLastError
GetPrivateProfileStringW
GetModuleHandleA
GetTempPathW
VirtualFree
SetLastError
Sleep
GetModuleFileNameA
CreateDirectoryW
MultiByteToWideChar
lstrcatA
SetCurrentDirectoryW
InitializeCriticalSection
user32
GetKeyState
GetMessageA
DispatchMessageA
CreateWindowExW
CallNextHookEx
GetAsyncKeyState
RegisterClassW
GetRawInputData
MapVirtualKeyA
DefWindowProcA
RegisterRawInputDevices
TranslateMessage
ToUnicode
wsprintfW
PostQuitMessage
GetLastInputInfo
GetForegroundWindow
GetWindowTextW
wsprintfA
GetKeyNameTextW
CharLowerW
advapi32
RegDeleteValueW
LookupPrivilegeValueW
AdjustTokenPrivileges
AllocateAndInitializeSid
OpenProcessToken
FreeSid
LookupAccountSidW
RegCreateKeyExW
RegDeleteKeyW
InitializeSecurityDescriptor
RegDeleteKeyA
SetSecurityDescriptorDacl
RegQueryValueExW
RegOpenKeyExW
RegOpenKeyExA
RegEnumKeyExW
RegQueryValueExA
RegQueryInfoKeyW
RegCloseKey
OpenServiceW
ChangeServiceConfigW
QueryServiceConfigW
EnumServicesStatusExW
StartServiceW
RegSetValueExW
RegCreateKeyExA
OpenSCManagerW
CloseServiceHandle
GetTokenInformation
RegSetValueExA
shell32
SHGetFolderPathW
ShellExecuteExA
ord680
SHGetKnownFolderPath
SHFileOperationW
SHGetSpecialFolderPathW
SHCreateDirectoryExW
ShellExecuteW
urlmon
URLDownloadToFileW
ws2_32
getaddrinfo
setsockopt
freeaddrinfo
htons
recv
socket
send
WSAConnect
WSAStartup
shutdown
closesocket
WSACleanup
connect
InetNtopW
gethostbyname
inet_addr
ole32
CoCreateInstance
CoInitialize
CoTaskMemFree
CoUninitialize
CoInitializeSecurity
shlwapi
StrStrW
PathFindExtensionW
PathCombineA
PathFindFileNameW
StrStrA
PathRemoveFileSpecA
PathFileExistsW
netapi32
NetUserAdd
NetLocalGroupAddMembers
oleaut32
VariantInit
crypt32
CryptUnprotectData
CryptStringToBinaryA
CryptStringToBinaryW
wininet
InternetTimeToSystemTimeA
Sections
.text Size: 92KB - Virtual size: 92KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 20KB - Virtual size: 19KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 1KB - Virtual size: 1.2MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 11KB - Virtual size: 11KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 5KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.bss Size: 512B - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ