Behavioral task
behavioral1
Sample
046a08c40c5ff787bbe473f575f672a15855a3c9b343d57935f8eadac4d1cde7.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
046a08c40c5ff787bbe473f575f672a15855a3c9b343d57935f8eadac4d1cde7.exe
Resource
win10v2004-20241007-en
General
-
Target
046a08c40c5ff787bbe473f575f672a15855a3c9b343d57935f8eadac4d1cde7.exe
-
Size
152KB
-
MD5
0a898fdbbb64c5236260b65598a3c1be
-
SHA1
b92ec7dad61b08ddc4f2ae9ba6d2bc3537392606
-
SHA256
046a08c40c5ff787bbe473f575f672a15855a3c9b343d57935f8eadac4d1cde7
-
SHA512
0eb79d232bf3ff96b3710b69a5a29d783e051b39696dd2833af4ac2d1599448c105c5d0f47475b25058c5b9ac86b85cf6f4201bf787a103b203dd8f073a0741e
-
SSDEEP
3072:4NLOpnhTdOw9YAJOzIY9gVl01T2ENipdDg0z5F:4NLYdT97JSIFl0QENqFF
Malware Config
Extracted
warzonerat
daddy.linkpc.net:1145
Signatures
-
Warzone RAT payload 1 IoCs
Processes:
resource yara_rule sample warzonerat -
Warzonerat family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource 046a08c40c5ff787bbe473f575f672a15855a3c9b343d57935f8eadac4d1cde7.exe
Files
-
046a08c40c5ff787bbe473f575f672a15855a3c9b343d57935f8eadac4d1cde7.exe.exe windows:5 windows x86 arch:x86
b9494f92817e4dfbe294ad842e8f1988
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
bcrypt
BCryptGenerateSymmetricKey
BCryptDecrypt
BCryptSetProperty
BCryptOpenAlgorithmProvider
ntdll
NtQueryInformationProcess
RtlInitUnicodeString
RtlEqualUnicodeString
kernel32
GetModuleHandleA
GetCommandLineA
GetStartupInfoA
HeapFree
VirtualAlloc
HeapReAlloc
VirtualQuery
TerminateThread
CreateThread
WriteProcessMemory
GetCurrentProcess
OpenProcess
GetWindowsDirectoryA
VirtualProtectEx
VirtualAllocEx
CreateRemoteThread
CreateProcessA
WriteFile
CreateFileW
LoadLibraryW
GetLocalTime
GetCurrentThreadId
GetCurrentProcessId
ReadFile
FindFirstFileA
GetBinaryTypeW
FindNextFileA
GetFullPathNameA
GetTempPathW
GetPrivateProfileStringW
CreateFileA
GlobalAlloc
GetCurrentDirectoryW
SetCurrentDirectoryW
GetFileSize
FreeLibrary
SetDllDirectoryW
GetFileSizeEx
LocalAlloc
lstrcmpW
WaitForSingleObject
CreateProcessW
VirtualProtect
SetFilePointer
ReadProcessMemory
VirtualQueryEx
GetModuleHandleW
IsWow64Process
WaitForMultipleObjects
CreatePipe
PeekNamedPipe
DuplicateHandle
SetEvent
ExitProcess
GetModuleFileNameW
LoadResource
FindResourceW
GetComputerNameW
GlobalMemoryStatusEx
LoadLibraryExW
FindFirstFileW
FindNextFileW
GetLogicalDriveStringsW
DeleteFileW
CopyFileW
GetDriveTypeW
EnterCriticalSection
GetTickCount
InitializeCriticalSection
DeleteCriticalSection
CreateMutexA
ReleaseMutex
TerminateProcess
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
WinExec
Wow64DisableWow64FsRedirection
GetSystemDirectoryW
Wow64RevertWow64FsRedirection
Process32First
Process32Next
SizeofResource
GetTempPathA
LockResource
lstrcpyW
WideCharToMultiByte
lstrcpyA
Sleep
MultiByteToWideChar
lstrcatA
lstrcmpA
lstrlenA
ExpandEnvironmentStringsW
lstrlenW
CloseHandle
lstrcatW
GetLastError
VirtualFree
SetLastError
GetModuleFileNameA
CreateDirectoryW
GetProcAddress
LoadLibraryA
GetProcessHeap
CreateEventA
HeapAlloc
LocalFree
LeaveCriticalSection
user32
CreateDesktopW
CharLowerW
GetKeyState
GetMessageA
DispatchMessageA
CreateWindowExW
CallNextHookEx
GetAsyncKeyState
RegisterClassW
GetRawInputData
MapVirtualKeyA
DefWindowProcA
RegisterRawInputDevices
TranslateMessage
wsprintfA
GetKeyNameTextW
PostQuitMessage
MessageBoxA
GetLastInputInfo
GetForegroundWindow
GetWindowTextW
ToUnicode
wsprintfW
advapi32
LookupPrivilegeValueW
AdjustTokenPrivileges
AllocateAndInitializeSid
OpenProcessToken
FreeSid
LookupAccountSidW
GetTokenInformation
QueryServiceStatusEx
InitializeSecurityDescriptor
RegDeleteKeyA
SetSecurityDescriptorDacl
RegCreateKeyExW
RegSetValueExA
RegDeleteValueW
RegQueryValueExW
RegOpenKeyExW
RegOpenKeyExA
RegEnumKeyExW
RegQueryValueExA
RegQueryInfoKeyW
RegCloseKey
OpenServiceW
ChangeServiceConfigW
QueryServiceConfigW
EnumServicesStatusExW
StartServiceW
RegSetValueExW
RegCreateKeyExA
OpenSCManagerW
CloseServiceHandle
RegDeleteKeyW
shell32
SHFileOperationW
ShellExecuteExW
SHGetSpecialFolderPathW
SHCreateDirectoryExW
ShellExecuteW
SHGetKnownFolderPath
ShellExecuteExA
SHGetFolderPathW
urlmon
URLDownloadToFileW
ws2_32
getaddrinfo
setsockopt
freeaddrinfo
htons
recv
connect
socket
send
WSAStartup
shutdown
closesocket
WSACleanup
InetNtopW
gethostbyname
inet_addr
ole32
CoInitialize
CoUninitialize
CoCreateInstance
CoInitializeSecurity
CoTaskMemFree
shlwapi
PathFileExistsW
PathFindExtensionW
StrStrW
PathRemoveFileSpecA
StrStrA
PathCombineA
PathFindFileNameW
AssocQueryStringW
netapi32
NetLocalGroupAddMembers
NetUserAdd
oleaut32
VariantInit
crypt32
CryptUnprotectData
CryptStringToBinaryA
CryptStringToBinaryW
psapi
GetModuleFileNameExW
Sections
.text Size: 84KB - Virtual size: 84KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 20KB - Virtual size: 19KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 42KB - Virtual size: 1.2MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.bss Size: 512B - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ