Overview

overview

10

Static

static

10

b858a1f896...ad.exe

windows7-x64

10

b858a1f896...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    166s
  • max time network
    193s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-03-2024 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b858a1f896ba459493486676e59af5ad.exe

  • Size

    152KB

  • MD5

    b858a1f896ba459493486676e59af5ad

  • SHA1

    c8a0ba42f8076b5c2b0d4cd2e0e6225b509b9f0c

  • SHA256

    fb55340ef36d5bfae56dd84e51b9aff7996ab7428fd1fcbe53dfb8fdcda244e8

  • SHA512

    cab1bf9703921eba97b4686c03583ec8d27b6d8ba6b869e8be7983071d513c9ce1347a345f931365db214de3918e417f0c0c1fa35e5ec681b3a0ee7c59fd87c1

  • SSDEEP

    3072:4NLOpnhTdOw9YAJOzIY9gVl01T2ENipdDg0z5:4NLYdT97JSIFl0QENqF

Score
10/10
warzoneratinfostealerrattrojan

Malware Config

Extracted

Family

warzonerat

C2

sdafsdffssffs.ydns.eu:6703

Signatures

  • Detects BazaLoader malware 1 IoCs

    BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

    trojan
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b858a1f896ba459493486676e59af5ad.exe
    "C:\Users\Admin\AppData\Local\Temp\b858a1f896ba459493486676e59af5ad.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2592
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
        3⤵
          PID:2688
      • C:\ProgramData\images.exe
        "C:\ProgramData\images.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe"
          3⤵
            PID:2376

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \ProgramData\images.exe
        Filesize

        152KB

        MD5

        b858a1f896ba459493486676e59af5ad

        SHA1

        c8a0ba42f8076b5c2b0d4cd2e0e6225b509b9f0c

        SHA256

        fb55340ef36d5bfae56dd84e51b9aff7996ab7428fd1fcbe53dfb8fdcda244e8

        SHA512

        cab1bf9703921eba97b4686c03583ec8d27b6d8ba6b869e8be7983071d513c9ce1347a345f931365db214de3918e417f0c0c1fa35e5ec681b3a0ee7c59fd87c1

        Download Submit

      • memory/2376-9-0x0000000000160000-0x0000000000161000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2376-11-0x0000000000160000-0x0000000000161000-memory.dmp

        Filesize

        4KB

        Download