warzonerat | 2f464a9bcfe09d2ab8ae6081d1d4d13a[.]bin

Sharing

Copy URL Twitter E-mail

General

Target

2f464a9bcfe09d2ab8ae6081d1d4d13a.bin
Size

60KB
MD5

b120252f4aa285b445ea5bc66829c5fc
SHA1

e72922b30a7f6d9af39eb9cd1196f1df1601e1d0
SHA256

e50b596f35bde3397bdaf37fb67813644af5abca6f2b9bdbee7196e43960772f
SHA512

1085c2d487040c4279bcbd3eb31e71701c01867466e9ce4843ea5a9077728fd262a754d7b76d928da8ea3ace63eae9b43240c233109b6b6eae7fd8ddb666c708
SSDEEP

1536:c0yKkbWjjs7L43vUkn9UxyRdQtQVGPPve2mMh5umMuKjQsB:yA2L4fUkyyAtQVGHvefuFK5

Score

10^/10

rat warzonerat

Malware Config

Extracted

Family

warzonerat

130.51.40.194:1313

Signatures

Warzone RAT payload 1 IoCs

rat

resource	yara_rule
static1/unpack001/bd54c011fb60ffa1cc97173178ffba67c3feeaaa9ca0fbfd08b201988a21e9d6.exe	warzonerat

Warzonerat family
warzonerat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/bd54c011fb60ffa1cc97173178ffba67c3feeaaa9ca0fbfd08b201988a21e9d6.exe

Files

2f464a9bcfe09d2ab8ae6081d1d4d13a.bin
.zip

Password: infected
bd54c011fb60ffa1cc97173178ffba67c3feeaaa9ca0fbfd08b201988a21e9d6.exe
.exe windows x86

Password: infected

51a1d638436da72d7fa5fb524e02d427

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

bcrypt

BCryptSetProperty
BCryptGenerateSymmetricKey
BCryptOpenAlgorithmProvider
BCryptDecrypt

kernel32

HeapFree
VirtualAlloc
HeapReAlloc
VirtualQuery
TerminateThread
CreateThread
WriteProcessMemory
GetCurrentProcess
OpenProcess
GetWindowsDirectoryA
VirtualProtectEx
VirtualAllocEx
CreateRemoteThread
CreateProcessA
GetModuleHandleW
IsWow64Process
WriteFile
CreateFileW
LoadLibraryW
GetLocalTime
GetCurrentThreadId
GetCurrentProcessId
ReadFile
FindFirstFileA
GetBinaryTypeW
FindNextFileA
GetFullPathNameA
GetTempPathW
GetPrivateProfileStringW
CreateFileA
GlobalAlloc
GetCurrentDirectoryW
SetCurrentDirectoryW
GetFileSize
FreeLibrary
SetDllDirectoryW
GetFileSizeEx
LoadLibraryA
LocalFree
WaitForSingleObject
WaitForMultipleObjects
CreatePipe
PeekNamedPipe
DuplicateHandle
SetEvent
GetStartupInfoA
CreateEventA
GetModuleFileNameW
LoadResource
FindResourceW
GetComputerNameW
GlobalMemoryStatusEx
LoadLibraryExW
FindFirstFileW
FindNextFileW
SetFilePointer
GetLogicalDriveStringsW
DeleteFileW
CopyFileW
GetDriveTypeW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
GetProcessHeap
ReleaseMutex
TerminateProcess
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
SizeofResource
VirtualProtect
GetSystemDirectoryW
LockResource
GetWindowsDirectoryW
Process32First
Process32Next
WinExec
GetTempPathA
HeapAlloc
lstrcmpW
GetTickCount
lstrcpyW
WideCharToMultiByte
lstrcpyA
Sleep
MultiByteToWideChar
GetCommandLineA
GetModuleHandleA
ExitProcess
CreateProcessW
lstrcatA
lstrcmpA
lstrlenA
ExpandEnvironmentStringsW
lstrlenW
CloseHandle
lstrcatW
GetLastError
VirtualFree
GetProcAddress
SetLastError
GetModuleFileNameA
CreateDirectoryW
LocalAlloc
CreateMutexA

user32

GetKeyState
GetMessageA
DispatchMessageA
CreateWindowExW
CallNextHookEx
GetAsyncKeyState
RegisterClassW
GetRawInputData
MapVirtualKeyA
DefWindowProcA
RegisterRawInputDevices
TranslateMessage
GetForegroundWindow
GetKeyNameTextW
PostQuitMessage
MessageBoxA
GetLastInputInfo
wsprintfW
GetWindowTextW
wsprintfA
ToUnicode

advapi32

RegDeleteKeyW
RegCreateKeyExW
RegSetValueExA
RegDeleteValueW
LookupPrivilegeValueW
AdjustTokenPrivileges
AllocateAndInitializeSid
OpenProcessToken
InitializeSecurityDescriptor
RegDeleteKeyA
SetSecurityDescriptorDacl
RegOpenKeyExW
RegOpenKeyExA
RegEnumKeyExW
RegQueryValueExA
RegQueryInfoKeyW
RegCloseKey
OpenServiceW
ChangeServiceConfigW
QueryServiceConfigW
EnumServicesStatusExW
StartServiceW
RegSetValueExW
RegCreateKeyExA
OpenSCManagerW
CloseServiceHandle
GetTokenInformation
LookupAccountSidW
FreeSid
RegQueryValueExW

shell32

ShellExecuteExA
ShellExecuteExW
ord680
SHGetSpecialFolderPathW
SHCreateDirectoryExW
ShellExecuteW
SHGetFolderPathW
SHGetKnownFolderPath

urlmon

URLDownloadToFileW

ws2_32

htons
recv
connect
socket
send
WSAStartup
shutdown
closesocket
WSACleanup
InetNtopW
gethostbyname
inet_addr
getaddrinfo
setsockopt
freeaddrinfo

ole32

CoInitializeSecurity
CoCreateInstance
CoInitialize
CoUninitialize
CoTaskMemFree

shlwapi

StrStrW
PathRemoveFileSpecA
StrStrA
PathCombineA
PathFindFileNameW
PathFileExistsW
PathFindExtensionW

netapi32

NetLocalGroupAddMembers
NetUserAdd

oleaut32

VariantInit

crypt32

CryptUnprotectData
CryptStringToBinaryA
CryptStringToBinaryW

psapi

GetModuleFileNameExW

Sections

.text
Size: 76KB - Virtual size: 75KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 18KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.bss
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

51a1d638436da72d7fa5fb524e02d427

Headers

DLL Characteristics

File Characteristics

Imports

bcrypt

kernel32

user32

advapi32

shell32

urlmon

ws2_32

ole32

shlwapi

netapi32

oleaut32

crypt32

psapi

Sections

.text Size: 76KB - Virtual size: 75KB

.rdata Size: 18KB - Virtual size: 18KB

.data Size: 1KB - Virtual size: 1.2MB

.rsrc Size: 11KB - Virtual size: 11KB

.reloc Size: 4KB - Virtual size: 3KB

.bss Size: 512B - Virtual size: 4KB

.text
Size: 76KB - Virtual size: 75KB

.rdata
Size: 18KB - Virtual size: 18KB

.data
Size: 1KB - Virtual size: 1.2MB

.rsrc
Size: 11KB - Virtual size: 11KB

.reloc
Size: 4KB - Virtual size: 3KB

.bss
Size: 512B - Virtual size: 4KB