Malware Analysis Report

2024-10-24 16:46

Sample ID 240417-p23hgafh26
Target 736144e3fddcbfd58aa6f58d1c3ec143b1ba08d3a8e614bf6df447352097f931
SHA256 736144e3fddcbfd58aa6f58d1c3ec143b1ba08d3a8e614bf6df447352097f931
Tags
warzonerat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

736144e3fddcbfd58aa6f58d1c3ec143b1ba08d3a8e614bf6df447352097f931

Threat Level: Known bad

The file 736144e3fddcbfd58aa6f58d1c3ec143b1ba08d3a8e614bf6df447352097f931 was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer rat

WarzoneRat, AveMaria

Warzone RAT payload

Warzonerat family

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-17 12:50

Signatures

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Warzonerat family

warzonerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 12:50

Reported

2024-04-17 12:53

Platform

win7-20240221-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f00f39f32bb3556f024b6e877337a8e6ba5a2feda5d1187e85684de23471ff7.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Processes

C:\Users\Admin\AppData\Local\Temp\6f00f39f32bb3556f024b6e877337a8e6ba5a2feda5d1187e85684de23471ff7.exe

"C:\Users\Admin\AppData\Local\Temp\6f00f39f32bb3556f024b6e877337a8e6ba5a2feda5d1187e85684de23471ff7.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 wrzn.duckdns.org udp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 8.8.8.8:53 wrzn.duckdns.org udp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 8.8.8.8:53 wrzn.duckdns.org udp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 12:50

Reported

2024-04-17 12:53

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f00f39f32bb3556f024b6e877337a8e6ba5a2feda5d1187e85684de23471ff7.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Processes

C:\Users\Admin\AppData\Local\Temp\6f00f39f32bb3556f024b6e877337a8e6ba5a2feda5d1187e85684de23471ff7.exe

"C:\Users\Admin\AppData\Local\Temp\6f00f39f32bb3556f024b6e877337a8e6ba5a2feda5d1187e85684de23471ff7.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 wrzn.duckdns.org udp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 wrzn.duckdns.org udp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 8.8.8.8:53 wrzn.duckdns.org udp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 89.117.23.25:45560 wrzn.duckdns.org tcp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

N/A