Malware Analysis Report

2025-03-15 06:30

Sample ID 240127-2gjabadff7
Target 7b751b12e1ba5957b750deee88c76556
SHA256 88694f8e030e9d1ef06c16419ae18bd428c1e6907d191e20679f36734b2fe22b
Tags
warzonerat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

88694f8e030e9d1ef06c16419ae18bd428c1e6907d191e20679f36734b2fe22b

Threat Level: Known bad

The file 7b751b12e1ba5957b750deee88c76556 was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer rat

WarzoneRat, AveMaria

Warzone RAT payload

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-27 22:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-27 22:33

Reported

2024-01-27 22:35

Platform

win7-20231215-en

Max time kernel

148s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b751b12e1ba5957b750deee88c76556.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2528 set thread context of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7b751b12e1ba5957b750deee88c76556.exe C:\Users\Admin\AppData\Local\Temp\7b751b12e1ba5957b750deee88c76556.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b751b12e1ba5957b750deee88c76556.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7b751b12e1ba5957b750deee88c76556.exe

"C:\Users\Admin\AppData\Local\Temp\7b751b12e1ba5957b750deee88c76556.exe"

C:\Users\Admin\AppData\Local\Temp\7b751b12e1ba5957b750deee88c76556.exe

"C:\Users\Admin\AppData\Local\Temp\7b751b12e1ba5957b750deee88c76556.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 graceandfavour.ddns.net udp

Files

memory/2528-0-0x0000000000F50000-0x0000000000F69000-memory.dmp

memory/2528-1-0x0000000000140000-0x0000000000142000-memory.dmp

memory/2664-2-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2528-3-0x0000000000F50000-0x0000000000F69000-memory.dmp

memory/2664-5-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2664-6-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2664-7-0x0000000000400000-0x0000000000554000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-27 22:33

Reported

2024-01-27 22:35

Platform

win10v2004-20231215-en

Max time kernel

90s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b751b12e1ba5957b750deee88c76556.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\7b751b12e1ba5957b750deee88c76556.exe

"C:\Users\Admin\AppData\Local\Temp\7b751b12e1ba5957b750deee88c76556.exe"

C:\Users\Admin\AppData\Local\Temp\7b751b12e1ba5957b750deee88c76556.exe

"C:\Users\Admin\AppData\Local\Temp\7b751b12e1ba5957b750deee88c76556.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3628 -ip 3628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 504

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp

Files

memory/3628-0-0x0000000000560000-0x0000000000579000-memory.dmp

memory/3628-1-0x0000000002D30000-0x0000000002D32000-memory.dmp