Analysis Overview
SHA256
7d5ce8feaaac8488197a12aa640d7b6f32f109dda578293a8b86f8a712f4ee0b
Threat Level: Known bad
The file bab.exe was found to be: Known bad.
Malicious Activity Summary
Warzone RAT payload
Warzonerat family
WarzoneRat, AveMaria
Warzone RAT payload
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-28 12:44
Signatures
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Warzonerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-28 12:44
Reported
2024-01-28 12:47
Platform
win7-20231215-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\bab.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bab.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bab.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bab = "C:\\ProgramData\\bab.exe" | C:\Users\Admin\AppData\Local\Temp\bab.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2316 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\bab.exe | C:\ProgramData\bab.exe |
| PID 2316 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\bab.exe | C:\ProgramData\bab.exe |
| PID 2316 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\bab.exe | C:\ProgramData\bab.exe |
| PID 2316 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\bab.exe | C:\ProgramData\bab.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\bab.exe
"C:\Users\Admin\AppData\Local\Temp\bab.exe"
C:\ProgramData\bab.exe
"C:\ProgramData\bab.exe"
Network
Files
\ProgramData\bab.exe
| MD5 | 8d80bcf8e28f59faa0d7571546e258b6 |
| SHA1 | 032efd6c3247d963b9292c0dfe9ccd47fe6f9a9f |
| SHA256 | 7d5ce8feaaac8488197a12aa640d7b6f32f109dda578293a8b86f8a712f4ee0b |
| SHA512 | d26fb98aee6e0b273dfe9c19afd11d15e4b9b0dced141f705755132d8d15a5d5b11869aa5b8131509eb34f933d682867040cf36f6b5026e1ce4bf32a1f10e598 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-28 12:44
Reported
2024-01-28 12:47
Platform
win10v2004-20231222-en
Max time kernel
133s
Max time network
149s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\bab.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bab = "C:\\ProgramData\\bab.exe" | C:\Users\Admin\AppData\Local\Temp\bab.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4808 wrote to memory of 5084 | N/A | C:\Users\Admin\AppData\Local\Temp\bab.exe | C:\ProgramData\bab.exe |
| PID 4808 wrote to memory of 5084 | N/A | C:\Users\Admin\AppData\Local\Temp\bab.exe | C:\ProgramData\bab.exe |
| PID 4808 wrote to memory of 5084 | N/A | C:\Users\Admin\AppData\Local\Temp\bab.exe | C:\ProgramData\bab.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\bab.exe
"C:\Users\Admin\AppData\Local\Temp\bab.exe"
C:\ProgramData\bab.exe
"C:\ProgramData\bab.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bossnew.ddns.net | udp |
| US | 141.11.93.195:1001 | bossnew.ddns.net | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 141.11.93.195:1001 | bossnew.ddns.net | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 141.11.93.195:1001 | bossnew.ddns.net | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bossnew.ddns.net | udp |
| US | 141.11.93.195:1001 | bossnew.ddns.net | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 141.11.93.195:1001 | bossnew.ddns.net | tcp |
| US | 141.11.93.195:1001 | bossnew.ddns.net | tcp |
Files
C:\ProgramData\bab.exe
| MD5 | 8d80bcf8e28f59faa0d7571546e258b6 |
| SHA1 | 032efd6c3247d963b9292c0dfe9ccd47fe6f9a9f |
| SHA256 | 7d5ce8feaaac8488197a12aa640d7b6f32f109dda578293a8b86f8a712f4ee0b |
| SHA512 | d26fb98aee6e0b273dfe9c19afd11d15e4b9b0dced141f705755132d8d15a5d5b11869aa5b8131509eb34f933d682867040cf36f6b5026e1ce4bf32a1f10e598 |