Overview

overview

10

Static

static

3

2025-04-15...fo.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/04/2025, 05:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-15_b4070638b7dedb3315b7ce678e52dea9_black-basta_elex_luca-stealer_metamorfo.exe

  • Size

    1017KB

  • MD5

    b4070638b7dedb3315b7ce678e52dea9

  • SHA1

    80e1bc747732472f7dfb985693003e1123342840

  • SHA256

    c5ec564a1275e6601d4806d7ec3f4f207740c09e11bfd1a314cef26d86480b92

  • SHA512

    b7bd2d07584e45801f4904bb3736c145642be3f7ef2c96239820625492e1895a345707d45e6dc1dd7e641771c0a3783fda9f99fc2b7eddc343370d22d83cb489

  • SSDEEP

    12288:9crNS33L10QdrXi4P7r9r/+ppppppppppppppppppppppppppppp0GHpnCbvltvN:ANA3R5drXj1qHpCbdZGmRG3KZ97Z/

Score
10/10
warzoneratdiscoveryinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

bhirtyfive55.ydns.eu:5210

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzonerat family
    warzonerat
  • Warzone RAT payload 3 IoCs
    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-15_b4070638b7dedb3315b7ce678e52dea9_black-basta_elex_luca-stealer_metamorfo.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-15_b4070638b7dedb3315b7ce678e52dea9_black-basta_elex_luca-stealer_metamorfo.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5504
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dthgfxtr.cmd" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:244
      • C:\Users\Admin\AppData\Local\Temp\dtgerbge.sfx.exe
        dtgerbge.sfx.exe -dC:\Users\Admin\AppData\Local\Temp -pgfsafdyehofxvflfnouioihmyjfodtydzalepdnoinlnafugyfHbgnmeGRhvqxsd
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5740
        • C:\Users\Admin\AppData\Local\Temp\dtgerbge.exe
          "C:\Users\Admin\AppData\Local\Temp\dtgerbge.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4900
          • C:\Users\Admin\AppData\Local\Temp\dtgerbge.exe
            C:\Users\Admin\AppData\Local\Temp\dtgerbge.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:5660
          • C:\Users\Admin\AppData\Local\Temp\dtgerbge.exe
            C:\Users\Admin\AppData\Local\Temp\dtgerbge.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5868
            • C:\ProgramData\cdimages.exe
              "C:\ProgramData\cdimages.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3964
              • C:\ProgramData\cdimages.exe
                C:\ProgramData\cdimages.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:1272
              • C:\ProgramData\cdimages.exe
                C:\ProgramData\cdimages.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:4824
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\cdimages.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:932
    • C:\ProgramData\cdimages.exe
      C:\ProgramData\cdimages.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:6024
      • C:\ProgramData\cdimages.exe
        C:\ProgramData\cdimages.exe
        3⤵
        • Executes dropped EXE
        PID:5928
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5928 -s 80
          4⤵
          • Program crash
          PID:1988
      • C:\ProgramData\cdimages.exe
        C:\ProgramData\cdimages.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3396
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5928 -ip 5928
    1⤵
      PID:4480

    Network

    MITRE ATT&CK Enterprise v16

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cdimages.exe.log
      Filesize

      706B

      MD5

      d95c58e609838928f0f49837cab7dfd2

      SHA1

      55e7139a1e3899195b92ed8771d1ca2c7d53c916

      SHA256

      0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

      SHA512

      405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dtgerbge.exe
      Filesize

      342KB

      MD5

      830adba8e468bb608837e9ccbedf77a6

      SHA1

      9e7d210f2df26e63e029d49e2bfb688bc9d67184

      SHA256

      bff438da0fb193e1d30fd83fe25a349a24106b6f76aa74b531aecca06990ff33

      SHA512

      938d5fc74e62c16fd5fafdd3931dd0b50acdd4122d78d84e71d3cdae959a2b71f9404cd69963db5e48000e4d9242b7d7a230bb18ec8a175268279f8e501876cb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dtgerbge.sfx.exe
      Filesize

      667KB

      MD5

      794dce1590947eaffdebe8979fc2e3a1

      SHA1

      50c8b50d3a82e516d4fca0ee73d23219b5bfafdc

      SHA256

      3e99a24d2f323da5edaad6f8cfb2375e43839ca1b44c5ab33b67f37ee61ca100

      SHA512

      f63b6110cc48065168e9dc963084a48b55024f4582cd596c3b81831e3626f272989c315bf653013004dceb9a1970db81d44ea033361172979c0ddeebbc3d333b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dthgfxtr.cmd
      Filesize

      35KB

      MD5

      c2af6c0dada93a8fa724b8e808e35d14

      SHA1

      684ba947ca8e8e290d93481a9aa5ccb9fd4d1065

      SHA256

      610a3b4150d2d70d0266f0933fbd794acbda02bc364fe5b416ff603db9acaba6

      SHA512

      c0e9f4b3b532695445512f760eafa5505c0d9dee00ab688cbbbc18f5d8477b5cf9ab0490a3c088b5fc23a6e29591426421b4b01302a2dd7e26b1c7ef1e59b6d6

      Download Submit

    • memory/1272-42-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4900-25-0x0000000008010000-0x00000000085B4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4900-23-0x00000000078B0000-0x000000000791A000-memory.dmp

      Filesize

      424KB

      Download

    • memory/4900-26-0x0000000007A60000-0x0000000007AF2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4900-27-0x0000000002CF0000-0x0000000002CF6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4900-24-0x00000000079C0000-0x0000000007A5C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4900-22-0x00000000009E0000-0x0000000000A3A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/5660-32-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/5660-28-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download