Malware Analysis Report

2025-03-15 06:31

Sample ID 240128-pyz8yaahc3
Target bab.exe
SHA256 7d5ce8feaaac8488197a12aa640d7b6f32f109dda578293a8b86f8a712f4ee0b
Tags
rat warzonerat infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7d5ce8feaaac8488197a12aa640d7b6f32f109dda578293a8b86f8a712f4ee0b

Threat Level: Known bad

The file bab.exe was found to be: Known bad.

Malicious Activity Summary

rat warzonerat infostealer persistence

Warzone RAT payload

Warzonerat family

WarzoneRat, AveMaria

Warzone RAT payload

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-28 12:44

Signatures

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Warzonerat family

warzonerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-28 12:44

Reported

2024-01-28 12:47

Platform

win7-20231215-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bab.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\bab.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bab.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bab = "C:\\ProgramData\\bab.exe" C:\Users\Admin\AppData\Local\Temp\bab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\bab.exe C:\ProgramData\bab.exe
PID 2316 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\bab.exe C:\ProgramData\bab.exe
PID 2316 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\bab.exe C:\ProgramData\bab.exe
PID 2316 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\bab.exe C:\ProgramData\bab.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bab.exe

"C:\Users\Admin\AppData\Local\Temp\bab.exe"

C:\ProgramData\bab.exe

"C:\ProgramData\bab.exe"

Network

N/A

Files

\ProgramData\bab.exe

MD5 8d80bcf8e28f59faa0d7571546e258b6
SHA1 032efd6c3247d963b9292c0dfe9ccd47fe6f9a9f
SHA256 7d5ce8feaaac8488197a12aa640d7b6f32f109dda578293a8b86f8a712f4ee0b
SHA512 d26fb98aee6e0b273dfe9c19afd11d15e4b9b0dced141f705755132d8d15a5d5b11869aa5b8131509eb34f933d682867040cf36f6b5026e1ce4bf32a1f10e598

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-28 12:44

Reported

2024-01-28 12:47

Platform

win10v2004-20231222-en

Max time kernel

133s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bab.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\bab.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bab = "C:\\ProgramData\\bab.exe" C:\Users\Admin\AppData\Local\Temp\bab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4808 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\bab.exe C:\ProgramData\bab.exe
PID 4808 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\bab.exe C:\ProgramData\bab.exe
PID 4808 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\bab.exe C:\ProgramData\bab.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bab.exe

"C:\Users\Admin\AppData\Local\Temp\bab.exe"

C:\ProgramData\bab.exe

"C:\ProgramData\bab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 bossnew.ddns.net udp
US 141.11.93.195:1001 bossnew.ddns.net tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 141.11.93.195:1001 bossnew.ddns.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 141.11.93.195:1001 bossnew.ddns.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 bossnew.ddns.net udp
US 141.11.93.195:1001 bossnew.ddns.net tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 141.11.93.195:1001 bossnew.ddns.net tcp
US 141.11.93.195:1001 bossnew.ddns.net tcp

Files

C:\ProgramData\bab.exe

MD5 8d80bcf8e28f59faa0d7571546e258b6
SHA1 032efd6c3247d963b9292c0dfe9ccd47fe6f9a9f
SHA256 7d5ce8feaaac8488197a12aa640d7b6f32f109dda578293a8b86f8a712f4ee0b
SHA512 d26fb98aee6e0b273dfe9c19afd11d15e4b9b0dced141f705755132d8d15a5d5b11869aa5b8131509eb34f933d682867040cf36f6b5026e1ce4bf32a1f10e598