Malware Analysis Report

2025-01-22 14:20

Sample ID 240229-2lmhjafa24
Target afa66b8e771f237de3d28774bc761117
SHA256 65578feb0c4c1850e41dfa8928d9619d3057913feb2ddb83e10fb000c9de5869
Tags
warzonerat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

65578feb0c4c1850e41dfa8928d9619d3057913feb2ddb83e10fb000c9de5869

Threat Level: Known bad

The file afa66b8e771f237de3d28774bc761117 was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer persistence rat

WarzoneRat, AveMaria

Warzone RAT payload

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-29 22:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 22:40

Reported

2024-02-29 22:42

Platform

win7-20240221-en

Max time kernel

144s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\afa66b8e771f237de3d28774bc761117.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\images.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\afa66b8e771f237de3d28774bc761117.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" C:\Users\Admin\AppData\Local\Temp\afa66b8e771f237de3d28774bc761117.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\afa66b8e771f237de3d28774bc761117.exe

"C:\Users\Admin\AppData\Local\Temp\afa66b8e771f237de3d28774bc761117.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
NL 194.5.97.145:9976 tcp
NL 194.5.97.145:9976 tcp
NL 194.5.97.145:9976 tcp
NL 194.5.97.145:9976 tcp
NL 194.5.97.145:9976 tcp

Files

memory/2200-0-0x0000000075920000-0x0000000075A20000-memory.dmp

memory/2200-1-0x0000000002180000-0x00000000022D4000-memory.dmp

memory/2200-3-0x0000000002370000-0x0000000002E70000-memory.dmp

\ProgramData\images.exe

MD5 9437aef9e8bdb096bae754eb35879ce7
SHA1 6d51c986a9ef64e1460cd065e3fb6052239715dd
SHA256 1b3daaf23221030ff9ee2b2af9617c1bb47d8f901c9666d5864d28468034f8a0
SHA512 7285d0ca0aac5be17024c6da9c9a68a6b235d7eac6c87d502e6ab89751889f664f936aeb6a420d5d681756a87ebc6e0e06b824c6839d8f1a0e1fd267cba1f2a6

C:\ProgramData\images.exe

MD5 afa66b8e771f237de3d28774bc761117
SHA1 f5eec9e4d2289d661fa0f4fa18ce16bd6c00b06f
SHA256 65578feb0c4c1850e41dfa8928d9619d3057913feb2ddb83e10fb000c9de5869
SHA512 e0292bd2f66faf1c44b6afeb787e5b6a02b60a27593e376b4bf492b25e38e3f46ffd6a7da7344e09966d23ca795665bb71fd8f73b3266c09fbb45fe7a6111f99

memory/2200-14-0x0000000002180000-0x00000000022D4000-memory.dmp

memory/2200-15-0x0000000075920000-0x0000000075A20000-memory.dmp

memory/2576-16-0x00000000009A0000-0x0000000000AF4000-memory.dmp

C:\ProgramData\images.exe

MD5 2eb81c9ac17aad97c2a7e013a57e018b
SHA1 03bbe8bfefdfad42206a73ace35a95f72a3ab308
SHA256 aaca42251376921b4d883f71af8ef619fa397b55d6ef3d22ef85acd66b0340c0
SHA512 ae662ba5250c8a8a1137ef9ae914a22755a0cd79613b8f0f96aabf5ccfece4d067a3d4486a34dcf3febb31667225e2addb6cc2b1b736fe3fdefff3056a4d4858

memory/2892-24-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2892-26-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2576-30-0x0000000075920000-0x0000000075A20000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 22:40

Reported

2024-02-29 22:42

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\afa66b8e771f237de3d28774bc761117.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\images.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" C:\Users\Admin\AppData\Local\Temp\afa66b8e771f237de3d28774bc761117.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\afa66b8e771f237de3d28774bc761117.exe

"C:\Users\Admin\AppData\Local\Temp\afa66b8e771f237de3d28774bc761117.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4084 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
NL 194.5.97.145:9976 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
NL 194.5.97.145:9976 tcp
NL 194.5.97.145:9976 tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
NL 194.5.97.145:9976 tcp

Files

memory/2972-0-0x0000000076B80000-0x0000000076D20000-memory.dmp

memory/2972-1-0x0000000003240000-0x0000000003D40000-memory.dmp

memory/2972-2-0x0000000002EB0000-0x0000000003004000-memory.dmp

C:\ProgramData\images.exe

MD5 db855e6916913c5b79d6468428343162
SHA1 e10074d5d85f4b0fc6a3e25c694c826df0f5db99
SHA256 5b84b8e69ade43f9f3e8d5a05e10198b61c1f5ba7a9939fbc26ba8b8f51dc96a
SHA512 f7147726f84f8515c403e2ae47f604a4364e05d8294967d92bbd3321e85b68628f34bb1e863762f9d7acca9f444bcb027e0c210051b89da7ddaf7892e278a215

memory/2972-12-0x0000000002EB0000-0x0000000003004000-memory.dmp

memory/2972-13-0x0000000076B80000-0x0000000076D20000-memory.dmp

C:\ProgramData\images.exe

MD5 c32ab115d9d9b9557a3e80aa9858ad43
SHA1 96ae7aed930134ba6a6a8fe959577d28e8d7136f
SHA256 e9c3a757d7382627f2848b02dcfc5fdd95d925e3aedfbec526e0707a64796ef0
SHA512 19cd406bc40936222c3404166e27a7f86249dcdeb933b233f1b476c76a7927ab48f5752dccffb4a468f17e99fa7829563db292bb7843f730314cbba1d86bcf96

memory/3352-15-0x0000000076B80000-0x0000000076D20000-memory.dmp

memory/3352-16-0x0000000002AB0000-0x0000000002C04000-memory.dmp

memory/3608-23-0x0000000001860000-0x0000000001861000-memory.dmp