warzonerat | Celesty[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

Celesty.zip
Size

58KB
MD5

fedc3a27375f81cd890d658678e07058
SHA1

b08bf3e9df71d4b8c1f37843a122a205b16c52f5
SHA256

e2098968949c37b9ccdfe772dd68325316720840fc6c9e7b014fbf2ba51c7425
SHA512

dfabe2fcd27f091dccc9336d5e2a9ff587385332fce2e5244aa2f7dbe65f79f7d8007ee5bbfeca4948ef4e57200f3855b0d7f758774bc80d02abbd6585081344
SSDEEP

1536:v8PXjrrvnnB+F5bpYlm6VZMXErniTsVIkjgLpau5dt:czfq5bpYl7/MXETLgLpau5dt

Score

10^/10

rat warzonerat

Malware Config

Extracted

Family

warzonerat

su8z3r0.myvnc.com:9876

Signatures

Warzone RAT payload 1 IoCs

rat

resource	yara_rule
static1/unpack001/Celesty/Celesty Binder v1 0 .exe	warzonerat

Warzonerat family
warzonerat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Celesty/Celesty Binder v1 0 .exe

Files

Celesty.zip
.zip

Password: CelestyBinder
Celesty/Celesty Binder v1 0 .exe
.exe windows:5 windows x86 arch:x86

Password: CelestyBinder

8d75bab5909750c32ca321ba486edee2

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetModuleFileNameW
GetTempPathA
CreateFileA
LockResource
LoadResource
FindResourceW
CreateProcessW
GetModuleHandleA
HeapAlloc
GetProcessHeap
LoadLibraryA
GetProcAddress
ExitProcess
GetCommandLineA
GetStartupInfoA
HeapFree
HeapReAlloc
VirtualQuery
TerminateThread
CreateThread
CreateFileW
LoadLibraryW
GetLocalTime
GetCurrentThreadId
ReadFile
FindFirstFileA
GetBinaryTypeW
FindNextFileA
GetFullPathNameA
SizeofResource
GetPrivateProfileStringW
GlobalAlloc
GetCurrentDirectoryW
SetCurrentDirectoryW
LocalFree
GetFileSize
FreeLibrary
WaitForSingleObject
GetCurrentProcess
WaitForMultipleObjects
CreatePipe
VirtualAlloc
DuplicateHandle
SetEvent
CreateEventA
GetComputerNameW
LoadLibraryExW
FindFirstFileW
FindNextFileW
SetFilePointer
GetLogicalDriveStringsW
DeleteFileW
CopyFileW
GetDriveTypeW
EnterCriticalSection
Sleep
InitializeCriticalSection
DeleteCriticalSection
CreateMutexA
ReleaseMutex
TerminateProcess
OpenProcess
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
VirtualProtect
lstrcmpW
GetTickCount
lstrcpyW
WideCharToMultiByte
lstrcpyA
MultiByteToWideChar
lstrcatA
WriteFile
VirtualFree
lstrcmpA
lstrlenA
ExpandEnvironmentStringsW
lstrlenW
CloseHandle
lstrcatW
GetLastError
SetLastError
PeekNamedPipe
CreateDirectoryW
GetTempPathW
LeaveCriticalSection

user32

MessageBoxA
GetKeyState
GetMessageA
DispatchMessageA
CreateWindowExW
CallNextHookEx
GetAsyncKeyState
SetWindowsHookExA
RegisterClassW
GetRawInputData
MapVirtualKeyA
GetForegroundWindow
DefWindowProcA
PostQuitMessage
TranslateMessage
ToUnicode
GetKeyNameTextW
wsprintfW
GetWindowTextW
GetLastInputInfo
wsprintfA
RegisterRawInputDevices

advapi32

FreeSid
LookupAccountSidW
GetTokenInformation
CloseServiceHandle
OpenSCManagerW
RegCreateKeyExA
StartServiceW
EnumServicesStatusExW
RegSetValueExA
RegDeleteKeyW
LookupPrivilegeValueW
AdjustTokenPrivileges
AllocateAndInitializeSid
OpenProcessToken
RegOpenKeyExW
RegSetValueExW
RegCreateKeyExW
RegCloseKey
RegQueryValueExW
RegOpenKeyExA
RegEnumKeyExW
RegQueryValueExA
RegQueryInfoKeyW
OpenServiceW
ChangeServiceConfigW
QueryServiceConfigW
RegDeleteValueW

shell32

SHGetSpecialFolderPathW
ShellExecuteA
ord680
SHCreateDirectoryExW
ShellExecuteExA
SHGetFolderPathW
ShellExecuteW

urlmon

URLDownloadToFileW

ws2_32

getaddrinfo
setsockopt
freeaddrinfo
htons
recv
connect
socket
send
WSAStartup
shutdown
closesocket
WSACleanup
ioctlsocket
ntohs
gethostbyname
inet_addr

ole32

CoCreateInstance
CoUninitialize
CoInitialize
CoTaskMemFree

shlwapi

PathFileExistsW
StrStrW
PathRemoveFileSpecA
StrStrA
PathCombineA
PathFindFileNameW
PathFindExtensionW

netapi32

NetLocalGroupAddMembers
NetUserAdd

oleaut32

VariantInit

crypt32

CryptStringToBinaryA
CryptUnprotectData

psapi

GetModuleFileNameExW

wininet

InternetOpenUrlW
InternetOpenW
InternetCloseHandle
InternetReadFile
InternetQueryDataAvailable

Sections

.text
Size: 64KB - Virtual size: 63KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.bss
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Celesty/Lang/AR.ini
Celesty/Lang/EN.ini
Celesty/Lang/ES.ini
Celesty/Lang/FR.ini
Celesty/Lang/GR.ini
Celesty/Lang/IT.ini
Celesty/Lang/NO.ini
Celesty/Lang/SE.ini
Celesty/Lang/SR.ini
Celesty/Lang/VN.ini

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: CelestyBinder

Password: CelestyBinder

8d75bab5909750c32ca321ba486edee2

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

urlmon

ws2_32

ole32

shlwapi

netapi32

oleaut32

crypt32

psapi

wininet

Sections

.text Size: 64KB - Virtual size: 63KB

.rdata Size: 13KB - Virtual size: 13KB

.data Size: 512B - Virtual size: 6KB

.rsrc Size: 11KB - Virtual size: 11KB

.reloc Size: 3KB - Virtual size: 3KB

.bss Size: 512B - Virtual size: 4KB

.text
Size: 64KB - Virtual size: 63KB

.rdata
Size: 13KB - Virtual size: 13KB

.data
Size: 512B - Virtual size: 6KB

.rsrc
Size: 11KB - Virtual size: 11KB

.reloc
Size: 3KB - Virtual size: 3KB

.bss
Size: 512B - Virtual size: 4KB