Malware Analysis Report

2025-03-15 06:30

Sample ID 240129-yjjgbabaeq
Target 80b66aa3e7594f20e55c184c6ba584e9
SHA256 a0a383d7599b7c847b366b4b35114f24205e3e9f624311c7931eea0d2218618c
Tags
warzonerat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a0a383d7599b7c847b366b4b35114f24205e3e9f624311c7931eea0d2218618c

Threat Level: Known bad

The file 80b66aa3e7594f20e55c184c6ba584e9 was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer rat

WarzoneRat, AveMaria

Warzone RAT payload

CustAttr .NET packer

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-29 19:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-29 19:48

Reported

2024-01-29 19:51

Platform

win10v2004-20231215-en

Max time kernel

137s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

CustAttr .NET packer

Description Indicator Process Target
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1080 set thread context of 2344 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1080 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1080 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1080 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1080 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1080 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1080 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1080 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1080 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1080 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1080 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1080 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1080 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1080 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1080 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1080 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1080 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1080 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1080 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1080 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1080 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe

Processes

C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe

"C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\txfneLkfREhTul" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5474.tmp"

C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe

"C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe"

C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe

"C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe"

C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe

"C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 192.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 16.160.77.104.in-addr.arpa udp
NL 185.222.57.226:3554 tcp
US 8.8.8.8:53 199.178.17.96.in-addr.arpa udp
NL 185.222.57.226:3554 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
NL 185.222.57.226:3554 tcp
NL 185.222.57.226:3554 tcp

Files

memory/1080-0-0x0000000000C50000-0x0000000000CF6000-memory.dmp

memory/1080-1-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/1080-2-0x00000000056B0000-0x000000000574C000-memory.dmp

memory/1080-3-0x0000000005D00000-0x00000000062A4000-memory.dmp

memory/1080-4-0x00000000057F0000-0x0000000005882000-memory.dmp

memory/1080-5-0x0000000005670000-0x0000000005680000-memory.dmp

memory/1080-6-0x00000000057B0000-0x00000000057BA000-memory.dmp

memory/1080-7-0x00000000059E0000-0x0000000005A36000-memory.dmp

memory/1080-8-0x0000000005100000-0x0000000005112000-memory.dmp

memory/1080-9-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/1080-10-0x0000000005670000-0x0000000005680000-memory.dmp

memory/1080-11-0x00000000088E0000-0x0000000008972000-memory.dmp

memory/1080-12-0x0000000008D20000-0x0000000008D42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5474.tmp

MD5 aa0ddd5017aa45d05261fc6adb42ab4d
SHA1 0a960e9992ec89ed1019f5e71d4079d83e78606c
SHA256 19067a24bd89a611400d8e241ca5db5844ddd62cdbce9d7bafa67defa5b9e789
SHA512 837159d9a6132346c2b0577931e2d80f1b92b1ed348401e374b721c5c2cf28cf73408545fa27ae07520a853f0aba71b452e01503533e62f1eb2bf74255bdbbc0

memory/2344-18-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2344-22-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2344-21-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1080-23-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/2344-24-0x0000000000400000-0x0000000000554000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-29 19:48

Reported

2024-01-29 19:51

Platform

win7-20231215-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

CustAttr .NET packer

Description Indicator Process Target
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1636 set thread context of 1028 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1636 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1636 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1636 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1636 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1636 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1636 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1636 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1636 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1636 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1636 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1636 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1636 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1636 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1636 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1636 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe
PID 1028 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Windows\SysWOW64\WerFault.exe
PID 1028 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Windows\SysWOW64\WerFault.exe
PID 1028 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Windows\SysWOW64\WerFault.exe
PID 1028 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe

"C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\txfneLkfREhTul" /XML "C:\Users\Admin\AppData\Local\Temp\tmp232A.tmp"

C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe

"C:\Users\Admin\AppData\Local\Temp\80b66aa3e7594f20e55c184c6ba584e9.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 200

Network

N/A

Files

memory/1636-0-0x0000000000D50000-0x0000000000DF6000-memory.dmp

memory/1636-1-0x0000000073FC0000-0x00000000746AE000-memory.dmp

memory/1636-2-0x0000000002280000-0x00000000022C0000-memory.dmp

memory/1636-3-0x0000000000300000-0x0000000000312000-memory.dmp

memory/1636-4-0x0000000073FC0000-0x00000000746AE000-memory.dmp

memory/1636-5-0x0000000002280000-0x00000000022C0000-memory.dmp

memory/1636-6-0x00000000050E0000-0x0000000005172000-memory.dmp

memory/1636-7-0x00000000004B0000-0x00000000004D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp232A.tmp

MD5 9e5bdca9cf7167a173579496d995fcd3
SHA1 42e1db9f2379bf8afd58f11b3dd196f4e6e45367
SHA256 fe3d527ef399bca236662a2682691f13390c1e76c499acb18a84286dc2a6825e
SHA512 20809c5131bcce06e0593b8c97406621cd2d1adb112fbb2b268fc86eac01065794d42b90686034cc209e15776d37ecfe04d71e2fad38ee43a86de5a5951643d8

memory/1028-13-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1028-14-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1028-15-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1028-16-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1028-17-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1028-19-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1028-21-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1028-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1028-25-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1028-27-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1636-28-0x0000000073FC0000-0x00000000746AE000-memory.dmp