Overview

overview

10

Static

static

3

2025-04-15...fo.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/04/2025, 04:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-15_0b019016508a828c0ee4a8b690abe2bd_black-basta_elex_luca-stealer_metamorfo.exe

  • Size

    1019KB

  • MD5

    0b019016508a828c0ee4a8b690abe2bd

  • SHA1

    a26dff2992ae833d5af1d3da4a9ec678e6dee58e

  • SHA256

    a9f5ff12d64cfdf5555adbe1931f80679075d7d1215a67fd57b1728f451a2d91

  • SHA512

    e050d6a0ab3c6840d0ca695a9c4f244bff5b98c086414673a2a8a64092f6c12fe28dbd25414e879576910d43f919a0ab393738c5b4e3b3918a937db55ea0efd1

  • SSDEEP

    12288:9crNS33L10QdrXi4P7r9r/+ppppppppppppppppppppppppppppp0GHpneWemGWg:ANA3R5drXj1qHpeWWWT3IFTw79EvE08k

Score
10/10
warzoneratdiscoveryinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

bhirtyfive55.ydns.eu:5210

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzonerat family
    warzonerat
  • Warzone RAT payload 3 IoCs
    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-15_0b019016508a828c0ee4a8b690abe2bd_black-basta_elex_luca-stealer_metamorfo.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-15_0b019016508a828c0ee4a8b690abe2bd_black-basta_elex_luca-stealer_metamorfo.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zjthgfxtr.cmd" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4872
      • C:\Users\Admin\AppData\Local\Temp\zdrsgss.sfx.exe
        zdrsgss.sfx.exe -dC:\Users\Admin\AppData\Local\Temp -pzalepdnoioihmyjfiodtgfsafdyehofxvflfnouydnlnafugyfHbgnmeGRhvqxsd
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3448
        • C:\Users\Admin\AppData\Local\Temp\zdrsgss.exe
          "C:\Users\Admin\AppData\Local\Temp\zdrsgss.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4824
          • C:\Users\Admin\AppData\Local\Temp\zdrsgss.exe
            C:\Users\Admin\AppData\Local\Temp\zdrsgss.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4844
          • C:\Users\Admin\AppData\Local\Temp\zdrsgss.exe
            C:\Users\Admin\AppData\Local\Temp\zdrsgss.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4768
            • C:\ProgramData\cdimages.exe
              "C:\ProgramData\cdimages.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:5920
              • C:\ProgramData\cdimages.exe
                C:\ProgramData\cdimages.exe
                7⤵
                • Executes dropped EXE
                PID:1232
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 80
                  8⤵
                  • Program crash
                  PID:6116
              • C:\ProgramData\cdimages.exe
                C:\ProgramData\cdimages.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:1360
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\cdimages.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4836
    • C:\ProgramData\cdimages.exe
      C:\ProgramData\cdimages.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3328
      • C:\ProgramData\cdimages.exe
        C:\ProgramData\cdimages.exe
        3⤵
        • Executes dropped EXE
        PID:5340
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 80
          4⤵
          • Program crash
          PID:3380
      • C:\ProgramData\cdimages.exe
        C:\ProgramData\cdimages.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3948
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5340 -ip 5340
    1⤵
      PID:5964
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1232 -ip 1232
      1⤵
        PID:5396

      Network

      MITRE ATT&CK Enterprise v16

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cdimages.exe.log
        Filesize

        706B

        MD5

        d95c58e609838928f0f49837cab7dfd2

        SHA1

        55e7139a1e3899195b92ed8771d1ca2c7d53c916

        SHA256

        0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

        SHA512

        405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\zdrsgss.exe
        Filesize

        338KB

        MD5

        ab67675ad662ff28a8e2a4d2ae250ff7

        SHA1

        5dfbccc0fa627246b47a1a1a906ce0c2e320f43b

        SHA256

        64f3ead3070fa7adf01df565f9c10ef8215419bd0638edca827129c7192f0469

        SHA512

        bb12ccbbe4c51b6fccd5ac41f4fa6206df29269b3075503c7dd5622a7f3ed8bbfdfd2d3f811c99212ee7bfef5bfb257144c5a72f1cdd204441f976b707703c5f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\zdrsgss.sfx.exe
        Filesize

        672KB

        MD5

        bb3d4c80e07c4560e2e8915512dc7b0b

        SHA1

        307f5402b517df6f929ed95423030b1f8ac134d5

        SHA256

        580db89867cfd289d22454c436e758b71e40b01da253d5470c0574ca8232ef49

        SHA512

        587384dd7347cd96470c354f7d9fd5b573f9982efac80384c355763088926e0de30e5e186e5b8074695526e9e4f169ed8f301ed9f6654bea7d6095a149b37d72

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\zjthgfxtr.cmd
        Filesize

        35KB

        MD5

        878810f31891e5478d2959d3b034f2bc

        SHA1

        ae39a838b5b6c9ae16ece88c10d6304891fcc0b4

        SHA256

        87384046a51409723001a2565cc13ac8915a5c000c22de693001f0cb216901e5

        SHA512

        f3e0c23436976b839148443af02e6bb8a8e1fbd41fefa339ae5a5f509eafb4c95f510101ba1f0ca37c4bf3b10199ef7d1c09d2ec55ea932caf776a7a837c2ca9

        Download Submit

      • memory/1360-44-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4824-25-0x0000000007720000-0x0000000007CC4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4824-24-0x00000000070D0000-0x000000000716C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4824-26-0x0000000007210000-0x00000000072A2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4824-27-0x0000000002420000-0x0000000002426000-memory.dmp

        Filesize

        24KB

        Download

      • memory/4824-23-0x0000000006FC0000-0x000000000702A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/4824-22-0x0000000000180000-0x00000000001DA000-memory.dmp

        Filesize

        360KB

        Download

      • memory/4844-28-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4844-32-0x0000000000400000-0x0000000000554000-memory.dmp

        Filesize

        1.3MB

        Download