Malware Analysis Report

2025-03-15 06:28

Sample ID 240130-mhyztsfdej
Target 8233910c5b0fe9b4aa55c4f2263aebb4
SHA256 b0055410b3532760da065b33ac487f42f31c90ffc60f88ac3ed8a22e53240d52
Tags
warzonerat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b0055410b3532760da065b33ac487f42f31c90ffc60f88ac3ed8a22e53240d52

Threat Level: Known bad

The file 8233910c5b0fe9b4aa55c4f2263aebb4 was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer persistence rat

WarzoneRat, AveMaria

Warzone RAT payload

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-30 10:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-30 10:28

Reported

2024-01-30 10:31

Platform

win10v2004-20231222-en

Max time kernel

134s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8233910c5b0fe9b4aa55c4f2263aebb4.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\images.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" C:\Users\Admin\AppData\Local\Temp\8233910c5b0fe9b4aa55c4f2263aebb4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8233910c5b0fe9b4aa55c4f2263aebb4.exe

"C:\Users\Admin\AppData\Local\Temp\8233910c5b0fe9b4aa55c4f2263aebb4.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
NL 194.5.97.52:11101 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
NL 194.5.97.52:11101 tcp
NL 194.5.97.52:11101 tcp
NL 194.5.97.52:11101 tcp
NL 194.5.97.52:11101 tcp

Files

memory/3532-0-0x0000000076370000-0x0000000076510000-memory.dmp

memory/3532-2-0x0000000003340000-0x0000000003E40000-memory.dmp

memory/3532-1-0x0000000002FB0000-0x0000000003104000-memory.dmp

C:\ProgramData\images.exe

MD5 234145091eea867f33f7db9031f8a510
SHA1 7fb9bd6cb751e2c06ebbe6e622661e6de7fd7a3a
SHA256 b002dc6fbdd482d435cec9d62ba52fdb8b9efa0cd3fca7ab05767a8e1972980c
SHA512 ea5971c6bf5a40142a8ca5b634f650cd6b15c22621e73545b95acf5e2fa77c8b981812a27737f426af897b1dfae16efceab13c9ed535412af4351edbddaab9b8

memory/3532-13-0x0000000076370000-0x0000000076510000-memory.dmp

memory/3532-12-0x0000000002FB0000-0x0000000003104000-memory.dmp

C:\ProgramData\images.exe

MD5 ecbf1c32f7f314682fa1507ca0083ba4
SHA1 4cb614454ace8b4d38d34d0357e7b3fb6e22e6dd
SHA256 9547396b4b934b7d0d1503504c759cc5459071f00a4bfdf77021866a0a6913cf
SHA512 e8609099754fa6179566739e0a8e08dac986312ac984a19875a44ff32669871ecaea698ff3754e6a2f2eddc46d72620b07bce625f44cd564a30dd3c16f2cd6d2

memory/2604-15-0x0000000076370000-0x0000000076510000-memory.dmp

memory/2604-16-0x0000000003DB0000-0x0000000003F04000-memory.dmp

memory/2604-23-0x0000000076370000-0x0000000076510000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-30 10:28

Reported

2024-01-30 10:31

Platform

win7-20231215-en

Max time kernel

140s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8233910c5b0fe9b4aa55c4f2263aebb4.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\images.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8233910c5b0fe9b4aa55c4f2263aebb4.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" C:\Users\Admin\AppData\Local\Temp\8233910c5b0fe9b4aa55c4f2263aebb4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8233910c5b0fe9b4aa55c4f2263aebb4.exe

"C:\Users\Admin\AppData\Local\Temp\8233910c5b0fe9b4aa55c4f2263aebb4.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

Network

Country Destination Domain Proto
NL 194.5.97.52:11101 tcp
NL 194.5.97.52:11101 tcp
NL 194.5.97.52:11101 tcp
NL 194.5.97.52:11101 tcp
NL 194.5.97.52:11101 tcp

Files

memory/2176-0-0x00000000766A0000-0x00000000767A0000-memory.dmp

memory/2176-1-0x00000000020C0000-0x0000000002214000-memory.dmp

memory/2176-3-0x0000000002410000-0x0000000002F10000-memory.dmp

C:\ProgramData\images.exe

MD5 c4445fba4d65c598c410aa4237543bd7
SHA1 0742ba8c5b8bf22410eee585fb91ec9b780295e4
SHA256 19b51c5586c68a6374e1497fe2d1e40b4d655a957891de2520751ff8cc698a06
SHA512 d6b0813461b0953aef213f1dd9e43892bbc737c77f230ad5f8204070e13423c86eb4b8434f88e0352c4586db3ded656dc441bf6e9b3ef5eb4ef56f28fe8153f3

memory/2176-14-0x00000000020C0000-0x0000000002214000-memory.dmp

\ProgramData\images.exe

MD5 dda87809f248f484d83d60720d0c0694
SHA1 a7d3db4aa8498592505da245b0dbdd9216d80124
SHA256 f5934ace8bab016709a9fa480d6260f30529b0162d77a96ea356cfcea8354048
SHA512 d900ca3ccff784a0c360c932add8e1d7fa35a0ad2b844192afd81645c22737d82067227ed7f954f05e3e41e69edd05ffda01ea38001d6a0a6f1bf8e514045346

memory/2176-15-0x00000000766A0000-0x00000000767A0000-memory.dmp

memory/2856-16-0x0000000002DC0000-0x0000000002F14000-memory.dmp

C:\ProgramData\images.exe

MD5 8233910c5b0fe9b4aa55c4f2263aebb4
SHA1 d7459b1c29c2db9b0d978b51bd8df0cd7abc3575
SHA256 b0055410b3532760da065b33ac487f42f31c90ffc60f88ac3ed8a22e53240d52
SHA512 5039622534051087f5d5030c76951fc32f7133445571b686555cf2666eb2fa6e91ee741d7df359bc9e803ce99dcf8518cefc7eaf0bc30ceeeb81320015609960

memory/2856-24-0x00000000766A0000-0x00000000767A0000-memory.dmp