warzonerat | 099120c6a053ee7608db0b2f576e8086[.]bin

Sharing

Copy URL Twitter E-mail

General

Target

099120c6a053ee7608db0b2f576e8086.bin
Size

73KB
MD5

5dc09c6fc52dcf6d3518c27125ee38f9
SHA1

e3ea78f88ad46e40f45a5904ec5ef23654b2229e
SHA256

ac6cf5b9e1d4d7f0ddad88abecdc4d6c780fc622962a257b13b8deda5dee82d5
SHA512

cc0c36280ab7f55cf6567e9e8318b664aef57c949b31ceb893286834403e25195d26b8e0deccd11e994f16fc0d1dea96af88dd4fe544c4cc88f7f302edc088f9
SSDEEP

1536:MCDS44SindLH3iqaXT6UyFWeX2/C3tmwSfQrJ+B5vVt6rK9PCeYWZ7nHyg:BOVDpajdyFNmqgwSfQrJ+Lv+esepRX

Score

10^/10

rat warzonerat

Malware Config

Extracted

Family

warzonerat

109.248.151.231:52048

Signatures

Warzone RAT payload 1 IoCs

rat

resource	yara_rule
static1/unpack001/a707a64de1846b90fdf608d7f24338e913440c260a579211089861f26932ebf0.exe	warzonerat

Warzonerat family
warzonerat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/a707a64de1846b90fdf608d7f24338e913440c260a579211089861f26932ebf0.exe

Files

099120c6a053ee7608db0b2f576e8086.bin
.zip

Password: infected
a707a64de1846b90fdf608d7f24338e913440c260a579211089861f26932ebf0.exe
.exe windows:5 windows x86 arch:x86

Password: infected

b9494f92817e4dfbe294ad842e8f1988

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

bcrypt

BCryptGenerateSymmetricKey
BCryptDecrypt
BCryptSetProperty
BCryptOpenAlgorithmProvider

ntdll

NtQueryInformationProcess
RtlInitUnicodeString
RtlEqualUnicodeString

kernel32

GetModuleHandleA
GetCommandLineA
GetStartupInfoA
HeapFree
VirtualAlloc
HeapReAlloc
VirtualQuery
TerminateThread
CreateThread
WriteProcessMemory
GetCurrentProcess
OpenProcess
GetWindowsDirectoryA
VirtualProtectEx
VirtualAllocEx
CreateRemoteThread
CreateProcessA
WriteFile
CreateFileW
LoadLibraryW
GetLocalTime
GetCurrentThreadId
GetCurrentProcessId
ReadFile
FindFirstFileA
GetBinaryTypeW
FindNextFileA
GetFullPathNameA
GetTempPathW
GetPrivateProfileStringW
CreateFileA
GlobalAlloc
GetCurrentDirectoryW
SetCurrentDirectoryW
GetFileSize
FreeLibrary
SetDllDirectoryW
GetFileSizeEx
LocalAlloc
lstrcmpW
WaitForSingleObject
CreateProcessW
VirtualProtect
SetFilePointer
ReadProcessMemory
VirtualQueryEx
GetModuleHandleW
IsWow64Process
WaitForMultipleObjects
CreatePipe
PeekNamedPipe
DuplicateHandle
SetEvent
ExitProcess
GetModuleFileNameW
LoadResource
FindResourceW
GetComputerNameW
GlobalMemoryStatusEx
LoadLibraryExW
FindFirstFileW
FindNextFileW
GetLogicalDriveStringsW
DeleteFileW
CopyFileW
GetDriveTypeW
EnterCriticalSection
GetTickCount
InitializeCriticalSection
DeleteCriticalSection
CreateMutexA
ReleaseMutex
TerminateProcess
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
WinExec
Wow64DisableWow64FsRedirection
GetSystemDirectoryW
Wow64RevertWow64FsRedirection
Process32First
Process32Next
SizeofResource
GetTempPathA
LockResource
lstrcpyW
WideCharToMultiByte
lstrcpyA
Sleep
MultiByteToWideChar
lstrcatA
lstrcmpA
lstrlenA
ExpandEnvironmentStringsW
lstrlenW
CloseHandle
lstrcatW
GetLastError
VirtualFree
SetLastError
GetModuleFileNameA
CreateDirectoryW
GetProcAddress
LoadLibraryA
GetProcessHeap
CreateEventA
HeapAlloc
LocalFree
LeaveCriticalSection

user32

CreateDesktopW
CharLowerW
GetKeyState
GetMessageA
DispatchMessageA
CreateWindowExW
CallNextHookEx
GetAsyncKeyState
RegisterClassW
GetRawInputData
MapVirtualKeyA
DefWindowProcA
RegisterRawInputDevices
TranslateMessage
wsprintfA
GetKeyNameTextW
PostQuitMessage
MessageBoxA
GetLastInputInfo
GetForegroundWindow
GetWindowTextW
ToUnicode
wsprintfW

advapi32

LookupPrivilegeValueW
AdjustTokenPrivileges
AllocateAndInitializeSid
OpenProcessToken
FreeSid
LookupAccountSidW
GetTokenInformation
QueryServiceStatusEx
InitializeSecurityDescriptor
RegDeleteKeyA
SetSecurityDescriptorDacl
RegCreateKeyExW
RegSetValueExA
RegDeleteValueW
RegQueryValueExW
RegOpenKeyExW
RegOpenKeyExA
RegEnumKeyExW
RegQueryValueExA
RegQueryInfoKeyW
RegCloseKey
OpenServiceW
ChangeServiceConfigW
QueryServiceConfigW
EnumServicesStatusExW
StartServiceW
RegSetValueExW
RegCreateKeyExA
OpenSCManagerW
CloseServiceHandle
RegDeleteKeyW

shell32

SHFileOperationW
ShellExecuteExW
SHGetSpecialFolderPathW
SHCreateDirectoryExW
ShellExecuteW
SHGetKnownFolderPath
ShellExecuteExA
SHGetFolderPathW

urlmon

URLDownloadToFileW

ws2_32

getaddrinfo
setsockopt
freeaddrinfo
htons
recv
connect
socket
send
WSAStartup
shutdown
closesocket
WSACleanup
InetNtopW
gethostbyname
inet_addr

ole32

CoInitialize
CoUninitialize
CoCreateInstance
CoInitializeSecurity
CoTaskMemFree

shlwapi

PathFileExistsW
PathFindExtensionW
StrStrW
PathRemoveFileSpecA
StrStrA
PathCombineA
PathFindFileNameW
AssocQueryStringW

netapi32

NetLocalGroupAddMembers
NetUserAdd

oleaut32

VariantInit

crypt32

CryptUnprotectData
CryptStringToBinaryA
CryptStringToBinaryW

psapi

GetModuleFileNameExW

Sections

.text
Size: 84KB - Virtual size: 84KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 42KB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.bss
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

b9494f92817e4dfbe294ad842e8f1988

Headers

DLL Characteristics

File Characteristics

Imports

bcrypt

ntdll

kernel32

user32

advapi32

shell32

urlmon

ws2_32

ole32

shlwapi

netapi32

oleaut32

crypt32

psapi

Sections

.text Size: 84KB - Virtual size: 84KB

.rdata Size: 20KB - Virtual size: 19KB

.data Size: 42KB - Virtual size: 1.2MB

.reloc Size: 4KB - Virtual size: 4KB

.bss Size: 512B - Virtual size: 4KB

.text
Size: 84KB - Virtual size: 84KB

.rdata
Size: 20KB - Virtual size: 19KB

.data
Size: 42KB - Virtual size: 1.2MB

.reloc
Size: 4KB - Virtual size: 4KB

.bss
Size: 512B - Virtual size: 4KB