Malware Analysis Report

2025-01-22 14:11

Sample ID 240228-qal7vacc24
Target abf1c1e6b70bc08cf534618d01768d99
SHA256 b8c70f4d02b8d385d363b5fe8fe263a0a6469478e268b56a02c218c4182d42bf
Tags
warzonerat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8c70f4d02b8d385d363b5fe8fe263a0a6469478e268b56a02c218c4182d42bf

Threat Level: Known bad

The file abf1c1e6b70bc08cf534618d01768d99 was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer rat

WarzoneRat, AveMaria

CustAttr .NET packer

Warzone RAT payload

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-28 13:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-28 13:03

Reported

2024-02-28 13:06

Platform

win7-20240221-en

Max time kernel

125s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

CustAttr .NET packer

Description Indicator Process Target
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2928 set thread context of 2476 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2928 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Windows\SysWOW64\schtasks.exe
PID 2928 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Windows\SysWOW64\schtasks.exe
PID 2928 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Windows\SysWOW64\schtasks.exe
PID 2928 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Windows\SysWOW64\schtasks.exe
PID 2928 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe
PID 2928 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe
PID 2928 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe
PID 2928 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe
PID 2928 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe
PID 2928 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe
PID 2928 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe
PID 2928 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe
PID 2928 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe
PID 2928 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe
PID 2928 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe
PID 2928 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe

Processes

C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe

"C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\injXWAqgHyVN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBE50.tmp"

C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe

"C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe"

Network

Country Destination Domain Proto
NL 185.222.57.226:3554 tcp
NL 185.222.57.226:3554 tcp
NL 185.222.57.226:3554 tcp
NL 185.222.57.226:3554 tcp

Files

memory/2928-0-0x0000000000840000-0x0000000000980000-memory.dmp

memory/2928-1-0x0000000074A50000-0x000000007513E000-memory.dmp

memory/2928-2-0x0000000004E10000-0x0000000004E50000-memory.dmp

memory/2928-3-0x0000000000380000-0x0000000000392000-memory.dmp

memory/2928-4-0x0000000074A50000-0x000000007513E000-memory.dmp

memory/2928-5-0x0000000004E10000-0x0000000004E50000-memory.dmp

memory/2928-6-0x0000000005860000-0x00000000058EC000-memory.dmp

memory/2928-7-0x0000000000650000-0x0000000000672000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBE50.tmp

MD5 50fdb49d19009ed3bc3bba91fbfe1c61
SHA1 52984eebf48483d1e3e76ed91c6a11b339d2830d
SHA256 0b2b999aff88cb1e21ad8f17ef6a92f7a7c2d8694e6ee6652373d0aa97523760
SHA512 d04cb339804efd8bdb809610ed8362df44a83a46a13404f3ddacf5d059a247ae192d3993944e21beeec5d94976265d5e007c10ee1780458fdfd8206aaff84376

memory/2476-13-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2476-15-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2476-17-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2476-19-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2476-21-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2476-22-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2476-23-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2476-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2476-26-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2476-28-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2928-29-0x0000000074A50000-0x000000007513E000-memory.dmp

memory/2476-30-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2476-31-0x0000000000400000-0x0000000000554000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-28 13:03

Reported

2024-02-28 13:06

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

CustAttr .NET packer

Description Indicator Process Target
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3464 set thread context of 4172 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3464 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Windows\SysWOW64\schtasks.exe
PID 3464 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Windows\SysWOW64\schtasks.exe
PID 3464 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Windows\SysWOW64\schtasks.exe
PID 3464 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe
PID 3464 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe
PID 3464 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe
PID 3464 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe
PID 3464 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe
PID 3464 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe
PID 3464 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe
PID 3464 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe
PID 3464 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe
PID 3464 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe
PID 3464 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe

Processes

C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe

"C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\injXWAqgHyVN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE484.tmp"

C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe

"C:\Users\Admin\AppData\Local\Temp\abf1c1e6b70bc08cf534618d01768d99.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
NL 185.222.57.226:3554 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 185.222.57.226:3554 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
NL 185.222.57.226:3554 tcp
NL 185.222.57.226:3554 tcp
NL 185.222.57.226:3554 tcp
US 8.8.8.8:53 104.246.116.51.in-addr.arpa udp

Files

memory/3464-1-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/3464-0-0x00000000003A0000-0x00000000004E0000-memory.dmp

memory/3464-2-0x0000000004EC0000-0x0000000004F5C000-memory.dmp

memory/3464-3-0x0000000005510000-0x0000000005AB4000-memory.dmp

memory/3464-4-0x0000000005000000-0x0000000005092000-memory.dmp

memory/3464-5-0x00000000051B0000-0x00000000051C0000-memory.dmp

memory/3464-6-0x0000000004F70000-0x0000000004F7A000-memory.dmp

memory/3464-7-0x00000000050A0000-0x00000000050F6000-memory.dmp

memory/3464-8-0x00000000054B0000-0x00000000054C2000-memory.dmp

memory/3464-9-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/3464-10-0x00000000051B0000-0x00000000051C0000-memory.dmp

memory/3464-11-0x0000000006810000-0x000000000689C000-memory.dmp

memory/3464-12-0x0000000008D00000-0x0000000008D22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE484.tmp

MD5 391bfd801cd45a3671e94bd82a687c2e
SHA1 4ff77175e910d313fd1403b54d99a804b83c874b
SHA256 d34137a608d1794ce280c4369d71b404497051f06d2ab13452eef5d4a520ae4f
SHA512 b58a0d79d094afbbfa56c25ebb6c65d593af3efc1989800e8ebca82a942a8c814c4931d37751cd98516b6427f61b37491fe1a9df7e448a8ac2b90b90f5704faf

memory/4172-18-0x0000000000400000-0x0000000000554000-memory.dmp

memory/4172-21-0x0000000000400000-0x0000000000554000-memory.dmp

memory/3464-22-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/4172-23-0x0000000000400000-0x0000000000554000-memory.dmp

memory/4172-24-0x0000000000400000-0x0000000000554000-memory.dmp