warzonerat | f9ebef99fedb86176dafbdecb67a9f600be7f6acb1299deeeb40d4a689018f1c[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

f9ebef99fedb86176dafbdecb67a9f600be7f6acb1299deeeb40d4a689018f1c.exe
Size

132KB
MD5

7b612e4acba9858b80edcc1213e12820
SHA1

d946028f2e8b0c382ef9c1fb45029a78990960d2
SHA256

f9ebef99fedb86176dafbdecb67a9f600be7f6acb1299deeeb40d4a689018f1c
SHA512

d9d0620e61e75d0e47221d18400c01f039db469d3ca949a6351f1dcbb3c8dcfcbbdfdccccbc5a0f0bd778260ab3539b63f43ffa0cc6c437b3125d5016bbcb9bc
SSDEEP

3072:K7W9jps0Tx4azG6GweOTir5axbjNCz45LT7a:KwpsERzGKurEXCzeLT7a

Score

10^/10

rat warzonerat

Malware Config

Extracted

Family

warzonerat

45.138.16.219:61995

Signatures

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Detects executables embedding command execution via IExecuteCommand COM object 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM

Warzone RAT payload 1 IoCs

rat

resource	yara_rule
sample	warzonerat

Warzonerat family
warzonerat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
f9ebef99fedb86176dafbdecb67a9f600be7f6acb1299deeeb40d4a689018f1c.exe

Files

f9ebef99fedb86176dafbdecb67a9f600be7f6acb1299deeeb40d4a689018f1c.exe
.exe windows:6 windows x86 arch:x86

56fc94e02d7bc310030753938e49a91a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

webservices

WsFileTimeToDateTime

bcrypt

BCryptSetProperty
BCryptGenerateSymmetricKey
BCryptOpenAlgorithmProvider
BCryptDecrypt

kernel32

lstrcpyW
GetTickCount
HeapAlloc
GetProcessHeap
GetCommandLineA
GetStartupInfoA
HeapFree
VirtualAlloc
HeapReAlloc
VirtualQuery
LocalAlloc
LocalFree
SystemTimeToFileTime
TerminateThread
CreateThread
WriteProcessMemory
GetCurrentProcess
OpenProcess
GetWindowsDirectoryA
VirtualProtectEx
VirtualAllocEx
CreateRemoteThread
GetModuleHandleW
IsWow64Process
WriteFile
CreateFileW
LoadLibraryW
GetLocalTime
GetCurrentThreadId
GetCurrentProcessId
ReadFile
FindFirstFileA
GetBinaryTypeW
FindNextFileA
GetFullPathNameA
CreateFileA
GlobalAlloc
GetCurrentDirectoryW
lstrcmpA
GetFileSize
FreeLibrary
SetDllDirectoryW
GetFileSizeEx
WaitForSingleObject
WaitForMultipleObjects
CreatePipe
PeekNamedPipe
DuplicateHandle
SetEvent
CreateProcessW
CreateEventA
GetModuleFileNameW
WideCharToMultiByte
LoadResource
FindResourceW
GetComputerNameW
GlobalMemoryStatusEx
LoadLibraryExW
FindFirstFileW
FindNextFileW
SetFilePointer
GetLogicalDriveStringsW
CopyFileW
GetDriveTypeW
EnterCriticalSection
LeaveCriticalSection
lstrlenA
DeleteCriticalSection
CreateMutexA
ReleaseMutex
TerminateProcess
K32GetModuleFileNameExW
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
DeleteFileW
SizeofResource
VirtualProtect
GetSystemDirectoryW
LockResource
GetWindowsDirectoryW
Process32First
Process32Next
GetTempPathA
ExpandEnvironmentStringsW
lstrlenW
lstrcmpW
CreateProcessA
WinExec
ExitProcess
GetProcAddress
lstrcpyA
CloseHandle
lstrcatW
LoadLibraryA
GetLastError
GetPrivateProfileStringW
GetModuleHandleA
GetTempPathW
VirtualFree
SetLastError
Sleep
GetModuleFileNameA
CreateDirectoryW
MultiByteToWideChar
lstrcatA
SetCurrentDirectoryW
InitializeCriticalSection

user32

GetKeyState
GetMessageA
DispatchMessageA
CreateWindowExW
CallNextHookEx
GetAsyncKeyState
RegisterClassW
GetRawInputData
MapVirtualKeyA
DefWindowProcA
RegisterRawInputDevices
TranslateMessage
ToUnicode
wsprintfW
PostQuitMessage
GetLastInputInfo
GetForegroundWindow
GetWindowTextW
wsprintfA
GetKeyNameTextW
CharLowerW

advapi32

RegDeleteValueW
LookupPrivilegeValueW
AdjustTokenPrivileges
AllocateAndInitializeSid
OpenProcessToken
FreeSid
LookupAccountSidW
RegCreateKeyExW
RegDeleteKeyW
InitializeSecurityDescriptor
RegDeleteKeyA
SetSecurityDescriptorDacl
RegQueryValueExW
RegOpenKeyExW
RegOpenKeyExA
RegEnumKeyExW
RegQueryValueExA
RegQueryInfoKeyW
RegCloseKey
OpenServiceW
ChangeServiceConfigW
QueryServiceConfigW
EnumServicesStatusExW
StartServiceW
RegSetValueExW
RegCreateKeyExA
OpenSCManagerW
CloseServiceHandle
GetTokenInformation
RegSetValueExA

shell32

SHGetFolderPathW
ShellExecuteExA
ord680
SHGetKnownFolderPath
SHFileOperationW
SHGetSpecialFolderPathW
SHCreateDirectoryExW
ShellExecuteW

urlmon

URLDownloadToFileW

ws2_32

getaddrinfo
setsockopt
freeaddrinfo
htons
recv
socket
send
WSAConnect
WSAStartup
shutdown
closesocket
WSACleanup
connect
InetNtopW
gethostbyname
inet_addr

ole32

CoCreateInstance
CoInitialize
CoTaskMemFree
CoUninitialize
CoInitializeSecurity

shlwapi

StrStrW
PathFindExtensionW
PathCombineA
PathFindFileNameW
StrStrA
PathRemoveFileSpecA
PathFileExistsW

netapi32

NetUserAdd
NetLocalGroupAddMembers

oleaut32

VariantInit

crypt32

CryptUnprotectData
CryptStringToBinaryA
CryptStringToBinaryW

wininet

InternetTimeToSystemTimeA

Sections

.text
Size: 92KB - Virtual size: 92KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.bss
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

56fc94e02d7bc310030753938e49a91a

Headers

DLL Characteristics

File Characteristics

Imports

webservices

bcrypt

kernel32

user32

advapi32

shell32

urlmon

ws2_32

ole32

shlwapi

netapi32

oleaut32

crypt32

wininet

Sections

.text Size: 92KB - Virtual size: 92KB

.rdata Size: 20KB - Virtual size: 19KB

.data Size: 1KB - Virtual size: 1.2MB

.rsrc Size: 11KB - Virtual size: 11KB

.reloc Size: 5KB - Virtual size: 4KB

.bss Size: 512B - Virtual size: 4KB

.text
Size: 92KB - Virtual size: 92KB

.rdata
Size: 20KB - Virtual size: 19KB

.data
Size: 1KB - Virtual size: 1.2MB

.rsrc
Size: 11KB - Virtual size: 11KB

.reloc
Size: 5KB - Virtual size: 4KB

.bss
Size: 512B - Virtual size: 4KB