Overview

overview

10

Static

static

10

6cdabd6b15...cf.exe

windows7-x64

10

6cdabd6b15...cf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    16-06-2024 22:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe

  • Size

    1.3MB

  • MD5

    9a330b075e9f608d64b9959aa80d3024

  • SHA1

    e4c1ec6821bab2872c1b6386fbce62d5bc2d6c07

  • SHA256

    6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf

  • SHA512

    24b88517407678114bc8b24965172b9e0d8055166ccd80102ca2a47e8a6308b653cdc54349b8bae3f2ab4a1ddbf8620c665eb293eeec5d61e2cdbc34ec9dc03b

  • SSDEEP

    24576:Ku6J33O0c+JY5UZ+XC0kGso6Fa720W4njUprvVcC1f2o5RRfgUWY5:8u0c++OCvkGs9Fa+rd1f26RaY5

Score
10/10
netwirewarzoneratbotnetinfostealerratstealer

Malware Config

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Extracted

Family

netwire

C2

Wealthy2019.com.strangled.net:20190

wealthyme.ddns.net:20190
Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    sunshineslisa

  • install_path

    %AppData%\Imgburn\Host.exe

  • keylogger_dir

    %AppData%\Logs\Imgburn\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    sucess

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 7 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 6 IoCs
    rat
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 16 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe
    "C:\Users\Admin\AppData\Local\Temp\6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
        "C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
        3⤵
        • Executes dropped EXE
        PID:2664
    • C:\Users\Admin\AppData\Local\Temp\6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe
      "C:\Users\Admin\AppData\Local\Temp\6cdabd6b152d49b047ca6d269b9286b5f49a2fe7c8376e16227d63ef44cd1ccf.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
          PID:2908
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
        2⤵
        • Creates scheduled task(s)
        PID:2700
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {48BD222F-EFBB-4A50-94F5-8CF4695BCF24} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1808
      • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
        C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1056
        • C:\Users\Admin\AppData\Roaming\Blasthost.exe
          "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
          3⤵
          • Executes dropped EXE
          PID:2820
        • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2880
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe"
            4⤵
              PID:2220
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
            3⤵
            • Creates scheduled task(s)
            PID:1844
        • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:584
          • C:\Users\Admin\AppData\Roaming\Blasthost.exe
            "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
            3⤵
            • Executes dropped EXE
            PID:600
          • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
            "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
            3⤵
            • Executes dropped EXE
            PID:1488
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe"
              4⤵
                PID:2028
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
              3⤵
              • Creates scheduled task(s)
              PID:1996
          • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
            C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            PID:1556
            • C:\Users\Admin\AppData\Roaming\Blasthost.exe
              "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
              3⤵
              • Executes dropped EXE
              PID:2252
            • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
              "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
              3⤵
              • Executes dropped EXE
              PID:3064
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe"
                4⤵
                  PID:2712
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
                3⤵
                • Creates scheduled task(s)
                PID:2628

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Blasthost.exe
            Filesize

            132KB

            MD5

            6087bf6af59b9c531f2c9bb421d5e902

            SHA1

            8bc0f1596c986179b82585c703bacae6d2a00316

            SHA256

            3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

            SHA512

            c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

            Download Submit

          • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
            Filesize

            1.3MB

            MD5

            be4b0fb22ef7c59bafae729b32291816

            SHA1

            a6e0387a896be85fde7e0b7b84bb7fe7e22ca3a7

            SHA256

            76c7305440c7cad37f9b197a0b7b2e06d4fe996f9ad08d0ff90f1b34762da78a

            SHA512

            9ba03fa55d790d7615648ccdf5e1c428099c12f9e45e97962fa3bf0cafa0514c56eb6f972f43f44a1ebb8b368704e2675b1d530d2cc214510c1f87f99a8c3ec4

            Download Submit

          • memory/1488-109-0x0000000000400000-0x000000000041D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/1488-106-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1488-100-0x0000000000400000-0x000000000041D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/1672-23-0x0000000000400000-0x000000000042C000-memory.dmp

            Filesize

            176KB

            Download

          • memory/1848-38-0x0000000001120000-0x0000000001121000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2028-112-0x0000000000220000-0x0000000000221000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2220-78-0x00000000000C0000-0x00000000000C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2664-81-0x0000000000400000-0x000000000042C000-memory.dmp

            Filesize

            176KB

            Download

          • memory/2664-45-0x0000000000400000-0x000000000042C000-memory.dmp

            Filesize

            176KB

            Download

          • memory/2744-27-0x0000000000080000-0x000000000009D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/2744-25-0x0000000000080000-0x000000000009D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/2744-34-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2744-37-0x0000000000080000-0x000000000009D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/2820-83-0x0000000000400000-0x000000000042C000-memory.dmp

            Filesize

            176KB

            Download

          • memory/2820-85-0x0000000000400000-0x000000000042C000-memory.dmp

            Filesize

            176KB

            Download

          • memory/2880-72-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2880-66-0x0000000000220000-0x000000000023D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/2880-75-0x0000000000220000-0x000000000023D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/2908-42-0x0000000000120000-0x0000000000121000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2908-40-0x0000000000120000-0x0000000000121000-memory.dmp

            Filesize

            4KB

            Download