Malware Analysis Report

2025-01-22 14:20

Sample ID 240225-hg8enaeg8y
Target a322b280625278dda0c613b6a7f949dd
SHA256 bf2830d89be54e8a25cef3f2a7ec0d0413c7993e4745300420a5b95317da3d27
Tags
warzonerat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf2830d89be54e8a25cef3f2a7ec0d0413c7993e4745300420a5b95317da3d27

Threat Level: Known bad

The file a322b280625278dda0c613b6a7f949dd was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer rat

WarzoneRat, AveMaria

Warzone RAT payload

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-25 06:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-25 06:43

Reported

2024-02-25 06:46

Platform

win7-20240221-en

Max time kernel

126s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2508 set thread context of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2508 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe
PID 2508 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe
PID 2508 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe
PID 2508 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe
PID 2508 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe
PID 2508 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe
PID 2508 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe
PID 2508 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe
PID 2508 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe
PID 2508 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe
PID 2508 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe
PID 2508 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe

"C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fZfIyAxsZAAQqf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4135.tmp"

C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe

"C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe"

Network

Country Destination Domain Proto
US 20.69.158.38:7400 tcp
US 20.69.158.38:7400 tcp
US 20.69.158.38:7400 tcp
US 20.69.158.38:7400 tcp

Files

memory/2508-0-0x00000000011F0000-0x00000000012DE000-memory.dmp

memory/2508-1-0x0000000073F20000-0x000000007460E000-memory.dmp

memory/2508-2-0x0000000000A60000-0x0000000000AEA000-memory.dmp

memory/2508-3-0x0000000004D10000-0x0000000004D50000-memory.dmp

memory/2508-4-0x0000000000410000-0x0000000000426000-memory.dmp

memory/2508-5-0x0000000073F20000-0x000000007460E000-memory.dmp

memory/2508-6-0x0000000004D10000-0x0000000004D50000-memory.dmp

memory/2508-7-0x000000000A9A0000-0x000000000AA32000-memory.dmp

memory/2508-8-0x0000000000B40000-0x0000000000B62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4135.tmp

MD5 ab2a05f4570cd01eb96819f4bd7b9c97
SHA1 cbcd30ffd2b890d345e39669ddc38214acb09dbb
SHA256 c541f4a71fe6075add4af70bcd45193f41c668a8ab204fd9832c0a39015938d3
SHA512 0c0c21cf38ad499d32f7ea1ef9d8eaa1af80b1d306308715525f278645e80dcad4cf4e5192ead48961868724bba6181723d17e43171668d9627ce72893e8e6a8

memory/2420-14-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2420-18-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2420-20-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2420-16-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2420-22-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2420-24-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2420-26-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2420-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2420-30-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2420-32-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2508-33-0x0000000073F20000-0x000000007460E000-memory.dmp

memory/2420-34-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2420-35-0x0000000000400000-0x0000000000554000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-25 06:43

Reported

2024-02-25 06:46

Platform

win10v2004-20240221-en

Max time kernel

144s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 216 set thread context of 3680 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 216 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Windows\SysWOW64\schtasks.exe
PID 216 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Windows\SysWOW64\schtasks.exe
PID 216 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Windows\SysWOW64\schtasks.exe
PID 216 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe
PID 216 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe
PID 216 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe
PID 216 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe
PID 216 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe
PID 216 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe
PID 216 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe
PID 216 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe
PID 216 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe
PID 216 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe
PID 216 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe

"C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fZfIyAxsZAAQqf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7C20.tmp"

C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe

"C:\Users\Admin\AppData\Local\Temp\a322b280625278dda0c613b6a7f949dd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 20.69.158.38:7400 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 20.69.158.38:7400 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 20.69.158.38:7400 tcp
US 20.69.158.38:7400 tcp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

memory/216-0-0x0000000000640000-0x000000000072E000-memory.dmp

memory/216-1-0x0000000074730000-0x0000000074EE0000-memory.dmp

memory/216-2-0x00000000050B0000-0x000000000513A000-memory.dmp

memory/216-3-0x0000000009620000-0x00000000096BC000-memory.dmp

memory/216-4-0x0000000009C70000-0x000000000A214000-memory.dmp

memory/216-5-0x0000000005340000-0x00000000053D2000-memory.dmp

memory/216-6-0x0000000005190000-0x00000000051A0000-memory.dmp

memory/216-7-0x0000000005090000-0x000000000509A000-memory.dmp

memory/216-8-0x0000000005510000-0x0000000005566000-memory.dmp

memory/216-9-0x0000000006950000-0x0000000006966000-memory.dmp

memory/216-10-0x0000000074730000-0x0000000074EE0000-memory.dmp

memory/216-11-0x0000000005190000-0x00000000051A0000-memory.dmp

memory/216-12-0x0000000006750000-0x00000000067E2000-memory.dmp

memory/216-13-0x0000000006AB0000-0x0000000006AD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7C20.tmp

MD5 3545cc5002816edf03ee6c70096bd91c
SHA1 b4f6bd950155d73cae6be840040e5a4ca842fd49
SHA256 d3db51548cdbb6c768df2bce33cf825eda268bf0cf64d8abda37e14552ab20cb
SHA512 450d2607fb6473f7529f5f4b78209b98f103934cb3a531cae399d67c4c125a3ddacccedf7fe3b3dd113bebabf701b70865bbb9efca6ff4ed9dc1905af9676f09

memory/3680-19-0x0000000000400000-0x0000000000554000-memory.dmp

memory/3680-22-0x0000000000400000-0x0000000000554000-memory.dmp

memory/216-23-0x0000000074730000-0x0000000074EE0000-memory.dmp

memory/3680-24-0x0000000000400000-0x0000000000554000-memory.dmp

memory/3680-25-0x0000000000400000-0x0000000000554000-memory.dmp