Malware Analysis Report

2024-10-19 09:24

Sample ID 230815-pjw8qsaf77
Target ORDER-230814AF.vbs
SHA256 5502c7306e749b3a59e5c8b35d7e3b21e397ac0a98092519a19e1c1de2ce1de3
Tags
warzonerat wshrat infostealer persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5502c7306e749b3a59e5c8b35d7e3b21e397ac0a98092519a19e1c1de2ce1de3

Threat Level: Known bad

The file ORDER-230814AF.vbs was found to be: Known bad.

Malicious Activity Summary

warzonerat wshrat infostealer persistence rat spyware stealer trojan

WarzoneRat, AveMaria

WSHRAT

Warzone RAT payload

Blocklisted process makes network request

Reads user/profile data of web browsers

Drops startup file

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-15 12:22

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-15 12:22

Reported

2023-08-15 12:24

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER-230814AF.vbs"

Signatures

WSHRAT

trojan wshrat

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QENVVO.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QENVVO.vbs C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
N/A N/A C:\ProgramData\images.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QENVVO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\QENVVO.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QENVVO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\QENVVO.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings C:\Windows\System32\WScript.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\images.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1404 wrote to memory of 4500 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 1404 wrote to memory of 4500 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 4500 wrote to memory of 3556 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 4500 wrote to memory of 3556 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 3556 wrote to memory of 468 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Tempwinlogon.exe
PID 3556 wrote to memory of 468 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Tempwinlogon.exe
PID 3556 wrote to memory of 468 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Tempwinlogon.exe
PID 468 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe C:\ProgramData\images.exe
PID 468 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe C:\ProgramData\images.exe
PID 468 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe C:\ProgramData\images.exe
PID 4960 wrote to memory of 2476 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 2476 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 2476 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 2476 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 2476 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER-230814AF.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\QENVVO.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aug.vbs"

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 grapemundo.com udp
IN 103.50.163.157:443 grapemundo.com tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 157.163.50.103.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 8.8.8.8:53 254.128.241.8.in-addr.arpa udp
US 8.8.8.8:53 79.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 25.144.47.103.in-addr.arpa udp
SG 103.47.144.25:49746 chongmei33.publicvm.com tcp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp
NL 172.217.168.196:80 www.google.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
NL 5.206.225.104:80 tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp
SG 103.47.144.25:7045 chongmei33.publicvm.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\QENVVO.vbs

MD5 c863717ead17c4488aa7f85b33ba8b20
SHA1 a1ecbd6e0ee64022e0e2ec358f9d33fec435e164
SHA256 355f53e53d0a8280ca4bc2e38bad3d6be7a00a3789355f09cbb822464fd8929e
SHA512 348d071ac5f156ccf25bbce538583ebcafa8b337d3ae6e5fd1a2d54ec71e99764ef4e8d9639463d9521910d29946abef371fe8c863dbbe3ac70aa035f3c2907e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QENVVO.vbs

MD5 c863717ead17c4488aa7f85b33ba8b20
SHA1 a1ecbd6e0ee64022e0e2ec358f9d33fec435e164
SHA256 355f53e53d0a8280ca4bc2e38bad3d6be7a00a3789355f09cbb822464fd8929e
SHA512 348d071ac5f156ccf25bbce538583ebcafa8b337d3ae6e5fd1a2d54ec71e99764ef4e8d9639463d9521910d29946abef371fe8c863dbbe3ac70aa035f3c2907e

C:\Users\Admin\AppData\Local\Temp\aug.vbs

MD5 2725abf432ceeca35be3ac737c3f0847
SHA1 608ac3ed1248b3c35deec3ee55070d52b2c9d1a0
SHA256 6eaa55f7bd4117835ac0116d85b20fdcc35e1c461379dbac106d2c2c51d60516
SHA512 a014a6c2a10f9efe9ca85f4da5505fb2eb6071342b7f4dce0b48446d4462ba26fc1e44a1ba9833d6ab623d2d75c0643c488e46d1995fb20bfd0ed8d8f517b0e2

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\ProgramData\images.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\ProgramData\images.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

memory/2476-165-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/4960-172-0x0000000003760000-0x00000000037E4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6V1Y4KVO\json[1].json

MD5 0c17abb0ed055fecf0c48bb6e46eb4eb
SHA1 a692730c8ec7353c31b94a888f359edb54aaa4c8
SHA256 f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0
SHA512 645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

memory/4960-179-0x0000000003760000-0x00000000037E4000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-15 12:22

Reported

2023-08-15 12:24

Platform

win7-20230712-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER-230814AF.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDER-230814AF.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 grapemundo.com udp
IN 103.50.163.157:443 grapemundo.com tcp
IN 103.50.163.157:443 grapemundo.com tcp
IN 103.50.163.157:443 grapemundo.com tcp
IN 103.50.163.157:443 grapemundo.com tcp

Files

N/A