Overview

overview

10

Static

static

10

abd3e1774e...fc.exe

windows7-x64

10

abd3e1774e...fc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-07-2024 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    abd3e1774e2fe9a03f0ded475d2d16ae79d925fae34b337faf2fe9acf4c971fc.exe

  • Size

    1.4MB

  • MD5

    fac91b50d556c45d01f0febb03cb5359

  • SHA1

    0b58a2cbd8fca4585201a57de1c1316f6ee6c78e

  • SHA256

    abd3e1774e2fe9a03f0ded475d2d16ae79d925fae34b337faf2fe9acf4c971fc

  • SHA512

    8f057555e59ffe4718b5fe60df494c7f592093aac04b56e57ef40db1db683cae24d635a97c062a01ffd8d3f5aad105bea80ba0c691a5d2b7c4cb345582fc66f3

  • SSDEEP

    24576:ru6J3xO0c+JY5UZ+XCHkGso6Fa720W4njUprvVcC1f2o5RRfgdWYr:Fo0c++OCokGs9Fa+rd1f26RNYr

Score
10/10
netwirewarzoneratbotnetinfostealerratstealer

Malware Config

Extracted

Family

netwire

C2

Wealthy2019.com.strangled.net:20190

wealthyme.ddns.net:20190
Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    sunshineslisa

  • install_path

    %AppData%\Imgburn\Host.exe

  • keylogger_dir

    %AppData%\Logs\Imgburn\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    sucess

  • registry_autorun

    false

  • use_mutex

    false

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Signatures

  • NetWire RAT payload 19 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 4 IoCs
    rat
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\abd3e1774e2fe9a03f0ded475d2d16ae79d925fae34b337faf2fe9acf4c971fc.exe
    "C:\Users\Admin\AppData\Local\Temp\abd3e1774e2fe9a03f0ded475d2d16ae79d925fae34b337faf2fe9acf4c971fc.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:5088
    • C:\Users\Admin\AppData\Roaming\Blasthost.exe
      "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1568
      • C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
        "C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
        3⤵
        • Executes dropped EXE
        PID:3092
    • C:\Users\Admin\AppData\Local\Temp\abd3e1774e2fe9a03f0ded475d2d16ae79d925fae34b337faf2fe9acf4c971fc.exe
      "C:\Users\Admin\AppData\Local\Temp\abd3e1774e2fe9a03f0ded475d2d16ae79d925fae34b337faf2fe9acf4c971fc.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
          PID:4684
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
        2⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2812
    • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Users\Admin\AppData\Roaming\Blasthost.exe
        "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
        2⤵
        • Executes dropped EXE
        PID:4792
      • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
        "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2476
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe"
          3⤵
            PID:2432
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
          2⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4180
      • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
        C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3424
        • C:\Users\Admin\AppData\Roaming\Blasthost.exe
          "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
          2⤵
          • Executes dropped EXE
          PID:2936
        • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4836
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe"
            3⤵
              PID:3892
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
            2⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1584
        • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:932
          • C:\Users\Admin\AppData\Roaming\Blasthost.exe
            "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
            2⤵
            • Executes dropped EXE
            PID:1552
          • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
            "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1472
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe"
              3⤵
                PID:4540
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
              2⤵
              • Scheduled Task/Job: Scheduled Task
              PID:4004

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Blasthost.exe
            Filesize

            132KB

            MD5

            6087bf6af59b9c531f2c9bb421d5e902

            SHA1

            8bc0f1596c986179b82585c703bacae6d2a00316

            SHA256

            3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

            SHA512

            c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

            Download Submit

          • C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
            Filesize

            1.4MB

            MD5

            717dc492b77117967d6a2d32e160e8d4

            SHA1

            f41dd1f2b8a8ac37ed2f27318267249dae9e821d

            SHA256

            0b62a67546dfc6eb800b00164d81195f8a48bdb45952884b519731098f4a7a13

            SHA512

            16dcfe0028fb8339b5da18fcae3807b60b7372ebe3134784da4e6c15c8c26ade63f7fc9dd00b3d06b3670305bb18fe387871261d2c1d6d97cce1272b079e9434

            Download Submit

          • memory/932-110-0x0000000000690000-0x00000000007FB000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/932-98-0x0000000000690000-0x00000000007FB000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1568-11-0x0000000000400000-0x000000000042C000-memory.dmp

            Filesize

            176KB

            Download

          • memory/1884-50-0x0000000000690000-0x00000000007FB000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1884-31-0x0000000000690000-0x00000000007FB000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/2216-23-0x0000000000800000-0x000000000081D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/2216-24-0x0000000000D10000-0x0000000000E7B000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/2216-14-0x0000000000800000-0x000000000081D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/2432-51-0x00000000005F0000-0x00000000005F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2476-49-0x0000000000690000-0x00000000007FB000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/2476-40-0x0000000000400000-0x000000000041D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/2476-48-0x0000000000400000-0x000000000041D000-memory.dmp

            Filesize

            116KB

            Download

          • memory/2936-86-0x0000000000400000-0x000000000042C000-memory.dmp

            Filesize

            176KB

            Download

          • memory/2936-83-0x0000000000400000-0x000000000042C000-memory.dmp

            Filesize

            176KB

            Download

          • memory/3092-29-0x0000000000400000-0x000000000042C000-memory.dmp

            Filesize

            176KB

            Download

          • memory/3092-53-0x0000000000400000-0x000000000042C000-memory.dmp

            Filesize

            176KB

            Download

          • memory/3424-66-0x0000000000690000-0x00000000007FB000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3424-77-0x0000000000690000-0x00000000007FB000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3892-78-0x00000000013F0000-0x00000000013F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4684-27-0x00000000009D0000-0x00000000009D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4792-55-0x0000000000400000-0x000000000042C000-memory.dmp

            Filesize

            176KB

            Download

          • memory/4792-59-0x0000000000400000-0x000000000042C000-memory.dmp

            Filesize

            176KB

            Download

          • memory/5088-0-0x0000000000D10000-0x0000000000E7B000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/5088-26-0x0000000000D10000-0x0000000000E7B000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/5088-22-0x0000000000C70000-0x0000000000C71000-memory.dmp

            Filesize

            4KB

            Download