Malware Analysis Report

2025-01-22 14:20

Sample ID 240228-klghvafe3w
Target ab78faca00cd8131d04b168316e6d946
SHA256 52889914e1b92e6ae60620c58746699ee4cb3586e7b967c69efa5088b5bef91e
Tags
warzonerat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

52889914e1b92e6ae60620c58746699ee4cb3586e7b967c69efa5088b5bef91e

Threat Level: Known bad

The file ab78faca00cd8131d04b168316e6d946 was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer rat

WarzoneRat, AveMaria

Warzone RAT payload

Uses the VBS compiler for execution

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-28 08:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-28 08:41

Reported

2024-02-28 08:43

Platform

win7-20240221-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1044 set thread context of 1896 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\SysWOW64\schtasks.exe
PID 1044 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\SysWOW64\schtasks.exe
PID 1044 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\SysWOW64\schtasks.exe
PID 1044 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\SysWOW64\schtasks.exe
PID 1044 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1044 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1044 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1044 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1044 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1044 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1044 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1044 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1044 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1044 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1044 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1044 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1044 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1044 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1044 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1044 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1896 wrote to memory of 2920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\WerFault.exe
PID 1896 wrote to memory of 2920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\WerFault.exe
PID 1896 wrote to memory of 2920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\WerFault.exe
PID 1896 wrote to memory of 2920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe

"C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yKmigdHEcl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp88BF.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"{path}"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"{path}"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 200

Network

N/A

Files

memory/1044-0-0x0000000000A20000-0x0000000000B10000-memory.dmp

memory/1044-1-0x0000000074200000-0x00000000748EE000-memory.dmp

memory/1044-2-0x00000000004E0000-0x000000000052C000-memory.dmp

memory/1044-3-0x0000000004A30000-0x0000000004A70000-memory.dmp

memory/1044-4-0x0000000000330000-0x0000000000338000-memory.dmp

memory/1044-5-0x0000000074200000-0x00000000748EE000-memory.dmp

memory/1044-6-0x0000000004C20000-0x0000000004C94000-memory.dmp

memory/1044-7-0x00000000006B0000-0x00000000006D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp88BF.tmp

MD5 014cb23da822c1905e29cb9dbf604bb3
SHA1 84b859aaab5b9209096c8970e7a72b1b4213f545
SHA256 63bf20d8317eee50fdb51ccb2bc312acd793d513e43a123a826713268248a5fc
SHA512 b4c8c6595839005a25b589fa0b8a3c65fea5ff90be2f258ca1d85db4721219459322987a4a8afc8b42a2a8199130aa2dc4f908b938b76c1847d13b3ccdd4435a

memory/1896-11-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1896-12-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1896-13-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1896-14-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1896-15-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1896-16-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1896-18-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1896-20-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1896-21-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1044-23-0x0000000074200000-0x00000000748EE000-memory.dmp

memory/1896-24-0x0000000000400000-0x0000000000554000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-28 08:41

Reported

2024-02-28 08:43

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2376 set thread context of 4280 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\SysWOW64\schtasks.exe
PID 2376 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\SysWOW64\schtasks.exe
PID 2376 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\SysWOW64\schtasks.exe
PID 2376 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2376 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2376 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2376 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2376 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2376 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2376 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2376 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2376 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2376 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2376 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe

"C:\Users\Admin\AppData\Local\Temp\ab78faca00cd8131d04b168316e6d946.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yKmigdHEcl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8C1E.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"{path}"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 pentester01.duckdns.org udp
FR 141.95.136.82:60976 pentester01.duckdns.org tcp
US 8.8.8.8:53 82.136.95.141.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 pentester01.duckdns.org udp
FR 141.95.136.82:60976 pentester01.duckdns.org tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/2376-0-0x0000000074C10000-0x00000000753C0000-memory.dmp

memory/2376-1-0x0000000000520000-0x0000000000610000-memory.dmp

memory/2376-2-0x0000000005030000-0x000000000507C000-memory.dmp

memory/2376-3-0x0000000009A60000-0x000000000A004000-memory.dmp

memory/2376-4-0x0000000005300000-0x0000000005392000-memory.dmp

memory/2376-5-0x0000000005250000-0x0000000005260000-memory.dmp

memory/2376-6-0x0000000005240000-0x000000000524A000-memory.dmp

memory/2376-7-0x00000000054B0000-0x00000000054B8000-memory.dmp

memory/2376-8-0x0000000007550000-0x00000000075EC000-memory.dmp

memory/2376-9-0x0000000074C10000-0x00000000753C0000-memory.dmp

memory/2376-10-0x0000000005250000-0x0000000005260000-memory.dmp

memory/2376-11-0x00000000078F0000-0x0000000007964000-memory.dmp

memory/2376-12-0x0000000004F70000-0x0000000004F94000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8C1E.tmp

MD5 e4b4f1745199894d5e70f2802253285c
SHA1 411161c95567c978ea4bd582f620170776b22937
SHA256 9e0a67c6a6b008fcc1829644b4dcecc59d214dbdf81eff360ee2da7f86ee4659
SHA512 8d9173a92eb86360a9cef23f86744441b55e39c1a9c569b8665398f28dd822df1b4e97fa33ce6b0ee9b0b0ff3b6e556a1e330f282467357b544c6d0812c6646e

memory/4280-16-0x0000000000400000-0x0000000000554000-memory.dmp

memory/4280-19-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2376-20-0x0000000074C10000-0x00000000753C0000-memory.dmp

memory/4280-21-0x0000000000400000-0x0000000000554000-memory.dmp

memory/4280-22-0x0000000000400000-0x0000000000554000-memory.dmp