Overview

overview

10

Static

static

10

028c26af36...56.exe

windows7-x64

10

028c26af36...56.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    16/01/2024, 01:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    028c26af36b0a9adf4d1a9c91c2531e28580ebd15d2200fec58c81337813ae56.exe

  • Size

    1.3MB

  • MD5

    4a36c902a2e841eb72be13a1741e8458

  • SHA1

    ad7d071afddbba4c7ea60f79936b498ad32cd9f9

  • SHA256

    028c26af36b0a9adf4d1a9c91c2531e28580ebd15d2200fec58c81337813ae56

  • SHA512

    74463a507f53772252061516bdde6cc02450332ba0b24f12f99007eef92457296eb8eb13ecc61baa6410041bab334ae87ee8cbcb80ecb2b1147e86a7f49d38e7

  • SSDEEP

    24576:Ku6J33O0c+JY5UZ+XC0kGso6Fa720W4njUprvVcC1f2o5RRfgUWY/:8u0c++OCvkGs9Fa+rd1f26RaY/

Score
10/10
netwirewarzoneratbotnetinfostealerratstealer

Malware Config

Extracted

Family

netwire

C2

Wealthy2019.com.strangled.net:20190

wealthyme.ddns.net:20190
Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    sunshineslisa

  • install_path

    %AppData%\Imgburn\Host.exe

  • keylogger_dir

    %AppData%\Logs\Imgburn\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    sucess

  • registry_autorun

    false

  • use_mutex

    false

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Signatures

  • NetWire RAT payload 19 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 5 IoCs
    rat
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 13 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\028c26af36b0a9adf4d1a9c91c2531e28580ebd15d2200fec58c81337813ae56.exe
    "C:\Users\Admin\AppData\Local\Temp\028c26af36b0a9adf4d1a9c91c2531e28580ebd15d2200fec58c81337813ae56.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
        "C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
        3⤵
        • Executes dropped EXE
        PID:1696
    • C:\Users\Admin\AppData\Local\Temp\028c26af36b0a9adf4d1a9c91c2531e28580ebd15d2200fec58c81337813ae56.exe
      "C:\Users\Admin\AppData\Local\Temp\028c26af36b0a9adf4d1a9c91c2531e28580ebd15d2200fec58c81337813ae56.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
          PID:2768
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
        2⤵
        • Creates scheduled task(s)
        PID:2596
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {4A4D903B-0371-4F70-9E44-AD97CE52637C} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
        C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2192
        • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1588
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe"
            4⤵
              PID:2044
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
            3⤵
            • Creates scheduled task(s)
            PID:2328
          • C:\Users\Admin\AppData\Roaming\Blasthost.exe
            "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
            3⤵
            • Executes dropped EXE
            PID:1400
        • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:920
          • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
            "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
            3⤵
            • Executes dropped EXE
            PID:2204
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe"
              4⤵
                PID:1152
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
              3⤵
              • Creates scheduled task(s)
              PID:1796
            • C:\Users\Admin\AppData\Roaming\Blasthost.exe
              "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
              3⤵
              • Executes dropped EXE
              PID:1048
          • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
            C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
            2⤵
            • Executes dropped EXE
            PID:1976
            • C:\Users\Admin\AppData\Roaming\Blasthost.exe
              "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
              3⤵
                PID:1664
              • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
                "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
                3⤵
                  PID:2128
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe"
                    4⤵
                      PID:2640
                  • C:\Windows\SysWOW64\schtasks.exe
                    "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
                    3⤵
                    • Creates scheduled task(s)
                    PID:2568

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\Blasthost.exe
                Filesize

                32KB

                MD5

                b67cc53b8c644cd0ae1d6a02a3c9a6b2

                SHA1

                59fd06bdb6d0845f5c8a3bccd2f9774460651dbd

                SHA256

                6973cfd782d346ee1263009c621e2f0fab0650d961475507272cfa41166f0ed8

                SHA512

                fe2457f9675f7a47783520b7cc8d2d3740d7997403dd39c26e948eca7cc0b926241189aa283ce9bd5ca48194eeb3901a3ed3ab1e0941940723e66558a7c39501

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Blasthost.exe
                Filesize

                40KB

                MD5

                4ac7b7248d5f820a9249de140b6c797b

                SHA1

                7ab4ec28ef930b0a60dadd861fa589fcad97a96f

                SHA256

                cfd615987a39e52651b2512439390fb89ff9584e2689d48ef88ad82fbf1f07ba

                SHA512

                55e279158723f7e7df96fa64f222afd72612456944c5c598d9e4ee8e6232f6f5df202e8d04b0b8eaf3f57322d4dd6fdc9cde6fb9bbb8b25ff6907390e13d8b42

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Blasthost.exe
                Filesize

                45KB

                MD5

                fc17d86a6b7f50f241a84babfdf27437

                SHA1

                2166814afae1183201f7d7bbaa4e535b03390652

                SHA256

                d1145613bad25841e69439cb6d7bdba9c42eeceefa21c406761fd393437871fc

                SHA512

                d5341927ce113adaccee9e09a8fccdec173e132bfbbd27d9b58695f8860caa98bc9935029b2d2386c06b9fecf620c5c0a7568614d9d4e746043fd9ac9cba02b4

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
                Filesize

                1KB

                MD5

                c8a63e8f8de990a4a4220516e84d643b

                SHA1

                a3b04c1e77021409d0b633f2bc9c7c94ecdb9b22

                SHA256

                a6cc810170df37a9494b535d9726476cd8fc805b906c2985f733311873b4adeb

                SHA512

                5c245016dcc15cc52dacbf1ee4a5fa8181cc07782ea56fabeb95be4c114844e1d19d982b5ecf396896bf858c8107443d1cc515769473916e4683c236efb32e7c

                Download Submit

              • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
                Filesize

                66KB

                MD5

                18dcf18488bc5e97676fb779f661ea95

                SHA1

                46311d258090d5d9d9176e06b54d66490802e4b2

                SHA256

                d56ea41383b7d77a4952a60e83fcc13a8c68e367cdba4647af814cda5d1f96a3

                SHA512

                16324b7f52765450bea5d0f3ef93cdaca48b460ab5072ef49f936410e6b3e27892a8ec444399e2f626c2f984115f908980c9c787090559557e9af3f0268a6a86

                Download Submit

              • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
                Filesize

                130KB

                MD5

                cb74e6376dc22a146925b5e7e764551b

                SHA1

                ed146e333d4e3219342edfcbd64e0831cab4835c

                SHA256

                71a6facf0a4fbb082e23fb4f6fe737177d8e4de5c829063877f7f08a6133a033

                SHA512

                cce18161338cbfef911cba6c3cfc78860b01d6accc7ab98f15dd4d95b6909ab8204a61214d1e2d8adde8e25048730d42d21517bd1a88f41fdff52e96bd543504

                Download Submit

              • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
                Filesize

                440KB

                MD5

                54f46f6c57bab98a8c1c0b594cba2908

                SHA1

                03851fdcf81559fcf4301839ba374987662cb2f5

                SHA256

                6c6a0dd909ed966191219935a044efc99dcfbfccd3f345dcc3c3be9c0a0b98fe

                SHA512

                7f85fe69492d2cc3943a2646478a94d7ec0a46082cc3344786fbcbfccc9f1f55567da32944718ba075491fa6fcf9c846f47714bce54a753be21cad14f408b7a2

                Download Submit

              • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
                Filesize

                64KB

                MD5

                65d7ce369f6b5854e1646b98312bc0a8

                SHA1

                a1c4cb24482d066760c911e0227c0463ff22375b

                SHA256

                8d5576d829a215af7c3f466995252694e610c1b0925559809ca4a1eed384eafe

                SHA512

                8d8268db2210a32389abebee778656e57bf1ba0a928800b4b72aae67ba7bfbc28a3f6d17de2ce54bebbc6ca60ce752b047d1efc0a034c49dbe8a6aaa146c0b3c

                Download Submit

              • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
                Filesize

                1KB

                MD5

                b1fdfc9aaa0bf5cf9c133cf381756894

                SHA1

                123141d607e03b99ab9b93971bcbd8811d5b74fa

                SHA256

                6b6082f6a0aa9e144363ffb68d54a66239fc01680f63651b231b0c9ba41e4854

                SHA512

                2ecaa1473f8242c7f02ad3a06c0c15c66e6f24e5343940de2793b61563fb53f5eabb978d39b7f1074ca606cad0af7a8f864d555c209d71f9ae796b946e79e99c

                Download Submit

              • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
                Filesize

                478KB

                MD5

                661248c59f35cbe0f0204d2c682fd11e

                SHA1

                a84ab1fefffbcbd76685415ccf8d38799619b9b8

                SHA256

                3ad22a9c24bc4627993b2dc017319532f9541e6311c17a819d51b1e26b6863c5

                SHA512

                bafec4c5e8de52ad0b64c3bb687f4739cb0a2cabe7a31eb00aac16bf856f52c145dd8d6d87327364e459ead42537f99ebe2bfaa6dd4c033998e1f4bfaa5c2d2d

                Download Submit

              • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
                Filesize

                160KB

                MD5

                cbd0a2642143eb923e0fa999b6028723

                SHA1

                dbd352100ec39d53f6f3aa2fae0f954119176374

                SHA256

                06c5e1eb7378f85b57bf2333d69d23c137a8d2fa33f8eca20c521ff38cecec26

                SHA512

                12c9ec3ef0316f9e543f4001d33718d8003f3c0dbf45271ab488686bf16faf3e426f8648d81af74951b921e94b5edb8fe9fe9d008b99d3b3e160f9951400e4a5

                Download Submit

              • \Users\Admin\AppData\Roaming\Blasthost.exe
                Filesize

                128KB

                MD5

                9334eeca7a29b6c1743a471c02b0c7b1

                SHA1

                96cb5e6fd8958810837e4eb2270f5cfe26e12eb6

                SHA256

                6a4456574b80eaded997dd37f639e21dd011d8b42bc911a67c9f09828fffcece

                SHA512

                ac4ad2e2da3d52e1db1308b2fb4f8ab8e9d1fe991e59433d43f5e5da1625e91e3d972b006957913449651aee81491bbb8502684f085e1b75c836c31a63527a1a

                Download Submit

              • \Users\Admin\AppData\Roaming\Blasthost.exe
                Filesize

                14KB

                MD5

                5d8033ccd790d7b7182d1467e92ec493

                SHA1

                87b740fb19b60c4e0f9ecdc91e128f8689e64052

                SHA256

                4f3a86b6166cba2e773fe303c29d4b86db732cd7e3d0246ec6fdc8f42662a252

                SHA512

                d64980211d2def75a9b7e8280b84bc02fb868f7442fd5202d2cae444d4535add409d7ae98efa87f5dab7b866e66d5f31a1d8da67aebe69f36824a668fa473d0e

                Download Submit

              • \Users\Admin\AppData\Roaming\Blasthost.exe
                Filesize

                132KB

                MD5

                6087bf6af59b9c531f2c9bb421d5e902

                SHA1

                8bc0f1596c986179b82585c703bacae6d2a00316

                SHA256

                3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

                SHA512

                c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

                Download Submit

              • \Users\Admin\AppData\Roaming\Blasthost.exe
                Filesize

                92KB

                MD5

                94bacdf3683347aeffa5ffb176bac54d

                SHA1

                3b0d853550a215b5d18850ea397831955ae5718a

                SHA256

                69a6e920b0781134c297f4ae4b78aeead1ddb5503711e106fcdcf3c83d323084

                SHA512

                d1240c41a1a8e69eb4f1f16763c99505a5c472262eece350cfe0f57c79ed5c7476da883460b81530a189411e1627f1015147a378ad1c42b71cbee3ddb4922b0a

                Download Submit

              • \Users\Admin\AppData\Roaming\Blasthost.exe
                Filesize

                64KB

                MD5

                97fb534a9a6fd0a7dd4cc20771cc4508

                SHA1

                d076673df1853bf35c1a07a963c2afba0d534d4d

                SHA256

                27bae6fc871653d8ad811833e1d4e28ada61a8d39a369ca93ca58d48a02de303

                SHA512

                69c75d6d4fa2ab5bf0faa1cdff37fc92b75d05cf91d68822ffa7346de4a2542f37dbdbd82f9e7c984612e9bdefa1273663c27cefe86bfa2ae136d0b5498e178a

                Download Submit

              • memory/1152-116-0x0000000000260000-0x0000000000261000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1400-85-0x0000000000400000-0x000000000042C000-memory.dmp

                Filesize

                176KB

                Download

              • memory/1588-66-0x00000000000D0000-0x00000000000ED000-memory.dmp

                Filesize

                116KB

                Download

              • memory/1588-77-0x00000000000D0000-0x00000000000ED000-memory.dmp

                Filesize

                116KB

                Download

              • memory/1588-73-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1628-23-0x0000000000400000-0x000000000042C000-memory.dmp

                Filesize

                176KB

                Download

              • memory/1696-46-0x0000000000400000-0x000000000042C000-memory.dmp

                Filesize

                176KB

                Download

              • memory/1696-45-0x0000000000400000-0x000000000042C000-memory.dmp

                Filesize

                176KB

                Download

              • memory/1724-27-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2044-80-0x0000000000160000-0x0000000000161000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2192-78-0x00000000008C0000-0x0000000000900000-memory.dmp

                Filesize

                256KB

                Download

              • memory/2552-37-0x0000000000080000-0x000000000009D000-memory.dmp

                Filesize

                116KB

                Download

              • memory/2552-34-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2552-26-0x0000000000080000-0x000000000009D000-memory.dmp

                Filesize

                116KB

                Download

              • memory/2552-25-0x0000000000080000-0x000000000009D000-memory.dmp

                Filesize

                116KB

                Download

              • memory/2640-164-0x0000000000260000-0x0000000000261000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2768-41-0x00000000000B0000-0x00000000000B1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2768-39-0x00000000000B0000-0x00000000000B1000-memory.dmp

                Filesize

                4KB

                Download