Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
08-03-2024 02:02
Behavioral task
behavioral1
Sample
ba3d2569f715cba001a95907847740c5.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ba3d2569f715cba001a95907847740c5.exe
Resource
win10v2004-20240226-en
General
-
Target
ba3d2569f715cba001a95907847740c5.exe
-
Size
152KB
-
MD5
ba3d2569f715cba001a95907847740c5
-
SHA1
6110a97db563b5044e38f45fc420ae5669b8ba9c
-
SHA256
469301f8da3a3ddf892007d92eb5df11810dc36dd9487014073ac49f4bdb70e5
-
SHA512
e0fe62a76ba3c111d11f209ddfdfdf5650a6d4d797791d48f1f4b6db2193d676e207591c97e95d9e0ba2d77460f2286abe99c93fe0a98761629fac30f7a2b751
-
SSDEEP
3072:4NLOpnhTdOw9YAJOzIY9gVl01T2ENipdDg0z5:4NLYdT97JSIFl0QENqF
Malware Config
Extracted
warzonerat
kezlkelz.duckdns.org:8888
Signatures
-
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
Processes:
resource yara_rule \ProgramData\images.exe BazaLoader -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 1 IoCs
Processes:
resource yara_rule \ProgramData\images.exe warzonerat -
Executes dropped EXE 1 IoCs
Processes:
images.exepid process 2088 images.exe -
Loads dropped DLL 2 IoCs
Processes:
ba3d2569f715cba001a95907847740c5.exepid process 2004 ba3d2569f715cba001a95907847740c5.exe 2004 ba3d2569f715cba001a95907847740c5.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ba3d2569f715cba001a95907847740c5.exedescription pid process target process PID 2004 wrote to memory of 2088 2004 ba3d2569f715cba001a95907847740c5.exe images.exe PID 2004 wrote to memory of 2088 2004 ba3d2569f715cba001a95907847740c5.exe images.exe PID 2004 wrote to memory of 2088 2004 ba3d2569f715cba001a95907847740c5.exe images.exe PID 2004 wrote to memory of 2088 2004 ba3d2569f715cba001a95907847740c5.exe images.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba3d2569f715cba001a95907847740c5.exe"C:\Users\Admin\AppData\Local\Temp\ba3d2569f715cba001a95907847740c5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\ProgramData\images.exe"C:\ProgramData\images.exe"2⤵
- Executes dropped EXE
PID:2088
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
MD5ba3d2569f715cba001a95907847740c5
SHA16110a97db563b5044e38f45fc420ae5669b8ba9c
SHA256469301f8da3a3ddf892007d92eb5df11810dc36dd9487014073ac49f4bdb70e5
SHA512e0fe62a76ba3c111d11f209ddfdfdf5650a6d4d797791d48f1f4b6db2193d676e207591c97e95d9e0ba2d77460f2286abe99c93fe0a98761629fac30f7a2b751