warzonerat | 57c76226a25c44ea73d0ffd2b8258a56[.]bin

Sharing

Copy URL Twitter E-mail

General

Target

57c76226a25c44ea73d0ffd2b8258a56.bin
Size

52KB
MD5

7fe70ff06a464051caef7e5f5e2cfa09
SHA1

4e3448b0cc6c8419c868d7d94fbae8f3c2e82018
SHA256

52afc8a2535a698dd9d108c14875c9c4900a941e2ef7a9e6815b3294a1ae6051
SHA512

98ba6471251a59129bda2ede4ef907747d507252e2a23692d69fec533d0a7673f58a1426313c0014af80f118f2581db042ca4631b68ffa259b275d58a55705a5
SSDEEP

1536:t3j7Rimqj5bcy/e80ALw4/G4WwoCe97jYIuOQ1:tnRif5bcy30ALf/aRte

Score

10^/10

rat warzonerat

Malware Config

Extracted

Family

warzonerat

segun.ddns.net:5200

Signatures

Warzone RAT payload 1 IoCs

rat

resource	yara_rule
static1/unpack001/24c31e8d645268f9b40c348887aebe9eacf476b25c52e904ca90967a97ca0165.exe	warzonerat

Warzonerat family
warzonerat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/24c31e8d645268f9b40c348887aebe9eacf476b25c52e904ca90967a97ca0165.exe

Files

57c76226a25c44ea73d0ffd2b8258a56.bin
.zip

Password: infected
24c31e8d645268f9b40c348887aebe9eacf476b25c52e904ca90967a97ca0165.exe
.exe windows:5 windows x86

Password: infected

4747c70adc127d28c18f0f7237b1add9

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetStartupInfoA
HeapFree
VirtualFree
VirtualAlloc
HeapReAlloc
VirtualQuery
TerminateThread
CreateThread
WriteFile
CreateFileW
LoadLibraryW
GetLocalTime
GetCurrentThreadId
GetCurrentProcessId
ReadFile
FindFirstFileA
GetBinaryTypeW
FindNextFileA
GetFullPathNameA
GetTempPathW
GetPrivateProfileStringW
CreateFileA
GlobalAlloc
GetCurrentDirectoryW
SetCurrentDirectoryW
LocalFree
GetFileSize
FreeLibrary
WaitForSingleObject
GetCurrentProcess
WaitForMultipleObjects
CreatePipe
PeekNamedPipe
DuplicateHandle
SetEvent
CreateProcessW
CreateEventA
LoadLibraryA
LoadResource
FindResourceW
GetComputerNameW
LoadLibraryExW
FindFirstFileW
FindNextFileW
GetCommandLineA
GetLogicalDriveStringsW
DeleteFileW
CopyFileW
GetDriveTypeW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
CreateMutexA
ReleaseMutex
TerminateProcess
OpenProcess
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
VirtualProtectEx
GetProcessHeap
SizeofResource
VirtualProtect
Wow64DisableWow64FsRedirection
GetSystemDirectoryW
Wow64RevertWow64FsRedirection
LockResource
GetWindowsDirectoryW
IsWow64Process
Process32First
WriteProcessMemory
Process32Next
GetWindowsDirectoryA
VirtualAllocEx
CreateRemoteThread
WinExec
GetTempPathA
HeapAlloc
Sleep
lstrcmpW
GetTickCount
lstrcpyW
WideCharToMultiByte
GetModuleHandleA
ExitProcess
SetFilePointer
lstrcpyA
MultiByteToWideChar
lstrcatA
lstrcmpA
lstrlenA
ExpandEnvironmentStringsW
lstrlenW
CloseHandle
GetProcAddress
lstrcatW
GetLastError
SetLastError
GetModuleFileNameA
CreateDirectoryW
GetModuleFileNameW
CreateProcessA

user32

MessageBoxA
GetKeyState
GetMessageA
DispatchMessageA
CreateWindowExW
CallNextHookEx
GetAsyncKeyState
SetWindowsHookExA
RegisterClassW
GetRawInputData
MapVirtualKeyA
GetForegroundWindow
DefWindowProcA
RegisterRawInputDevices
GetLastInputInfo
ToUnicode
GetKeyNameTextW
PostQuitMessage
GetWindowTextW
TranslateMessage
wsprintfA
wsprintfW

advapi32

LookupPrivilegeValueW
AdjustTokenPrivileges
AllocateAndInitializeSid
OpenProcessToken
FreeSid
LookupAccountSidW
GetTokenInformation
CloseServiceHandle
OpenSCManagerW
RegCreateKeyExW
RegDeleteKeyW
InitializeSecurityDescriptor
RegDeleteKeyA
SetSecurityDescriptorDacl
RegDeleteValueW
RegQueryValueExW
RegOpenKeyExW
RegOpenKeyExA
RegEnumKeyExW
RegQueryValueExA
RegQueryInfoKeyW
RegCloseKey
OpenServiceW
ChangeServiceConfigW
QueryServiceConfigW
EnumServicesStatusExW
StartServiceW
RegSetValueExW
RegCreateKeyExA
RegSetValueExA

shell32

ShellExecuteExW
SHGetSpecialFolderPathW
SHCreateDirectoryExW
SHGetFolderPathW
ShellExecuteW
ord680
ShellExecuteExA

urlmon

URLDownloadToFileW

ws2_32

setsockopt
freeaddrinfo
htons
recv
connect
socket
send
WSAStartup
shutdown
closesocket
WSACleanup
ioctlsocket
ntohs
gethostbyname
inet_addr
getaddrinfo

ole32

CoCreateInstance
CoUninitialize
CoInitialize
CoTaskMemFree

shlwapi

StrStrW
PathRemoveFileSpecA
StrStrA
PathCombineA
PathFindFileNameW
PathFindExtensionW
PathFileExistsW

netapi32

NetLocalGroupAddMembers
NetUserAdd

oleaut32

VariantInit

crypt32

CryptStringToBinaryA
CryptUnprotectData

psapi

GetModuleFileNameExW

wininet

InternetQueryDataAvailable
InternetOpenUrlW
InternetOpenW
InternetCloseHandle
InternetReadFile
InternetCheckConnectionW

Sections

.text
Size: 66KB - Virtual size: 65KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.bss
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

4747c70adc127d28c18f0f7237b1add9

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

urlmon

ws2_32

ole32

shlwapi

netapi32

oleaut32

crypt32

psapi

wininet

Sections

.text Size: 66KB - Virtual size: 65KB

.rdata Size: 15KB - Virtual size: 15KB

.data Size: 1KB - Virtual size: 7KB

.rsrc Size: 11KB - Virtual size: 11KB

.reloc Size: 3KB - Virtual size: 3KB

.bss Size: 512B - Virtual size: 4KB

.text
Size: 66KB - Virtual size: 65KB

.rdata
Size: 15KB - Virtual size: 15KB

.data
Size: 1KB - Virtual size: 7KB

.rsrc
Size: 11KB - Virtual size: 11KB

.reloc
Size: 3KB - Virtual size: 3KB

.bss
Size: 512B - Virtual size: 4KB