File name: | db11e583944ddefc276fd302c0eecf39 |
Full analysis: | https://app.any.run/tasks/a7edca23-0651-4369-9749-c43703b63b6a |
Verdict: | Malicious activity |
Threats: | WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2. |
Analysis date: | December 05, 2022, 20:21:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | DB11E583944DDEFC276FD302C0EECF39 |
SHA1: | 662C88E0753E7D006AB7CC43297613A7CB5D811D |
SHA256: | 80E28FCC8B571C2C8FE075896D03ED473E825BB56296563F3D5DFFAA22FE0CCB |
SSDEEP: | 6144:LBnmyK4O/ekC2y6gPXoYBIy1yNUwEghE9fWYJK6:Q7e6gPYYBDy6wEghE9fWYD |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2015-Dec-27 05:38:52 |
Detected languages: |
|
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 216 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 5 |
TimeDateStamp: | 2015-Dec-27 05:38:52 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 23626 | 24064 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.41076 |
.rdata | 28672 | 4446 | 4608 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.14255 |
.data | 36864 | 110712 | 1536 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.22522 |
.ndata | 151552 | 32768 | 0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.rsrc | 184320 | 206648 | 206848 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.67313 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.6686 | 67624 | UNKNOWN | English - United States | RT_ICON |
2 | 4.20636 | 38056 | UNKNOWN | English - United States | RT_ICON |
3 | 4.21554 | 26600 | UNKNOWN | English - United States | RT_ICON |
4 | 4.24892 | 21640 | UNKNOWN | English - United States | RT_ICON |
5 | 4.08716 | 16936 | UNKNOWN | English - United States | RT_ICON |
6 | 7.95631 | 15974 | UNKNOWN | English - United States | RT_ICON |
7 | 4.49335 | 9640 | UNKNOWN | English - United States | RT_ICON |
8 | 4.55083 | 4264 | UNKNOWN | English - United States | RT_ICON |
9 | 5.02221 | 2440 | UNKNOWN | English - United States | RT_ICON |
10 | 4.96191 | 1128 | UNKNOWN | English - United States | RT_ICON |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
892 | "C:\Users\admin\AppData\Local\Temp\db11e583944ddefc276fd302c0eecf39.exe" | C:\Users\admin\AppData\Local\Temp\db11e583944ddefc276fd302c0eecf39.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 2 Modules
| |||||||||||||||
4048 | "C:\Users\admin\AppData\Local\Temp\zgoqp.exe" C:\Users\admin\AppData\Local\Temp\beujeu.oxz | C:\Users\admin\AppData\Local\Temp\zgoqp.exe | db11e583944ddefc276fd302c0eecf39.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
652 | "C:\Users\admin\AppData\Local\Temp\zgoqp.exe" | C:\Users\admin\AppData\Local\Temp\zgoqp.exe | zgoqp.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
WarZone(PID) Process(652) zgoqp.exe C2 (1)baramac.duckdns.org:6269 BuildID82PMPE2D Options Install FlagFalse Startup FlagFalse Reverse Proxy local port5000 Offline logTrue PersistanceFalse UAC bypassTrue Defender bypassFalse Use ADSFalse |
(PID) Process: | (4048) zgoqp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | osoudspt |
Value: C:\Users\admin\AppData\Roaming\tdvtqndxxhl\kiflb.exe "C:\Users\admin\AppData\Local\Temp\zgoqp.exe" C:\Users\admin\AppData\Local\T | |||
(PID) Process: | (652) zgoqp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | MaxConnectionsPer1_0Server |
Value: 10 | |||
(PID) Process: | (652) zgoqp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | MaxConnectionsPerServer |
Value: 10 |
PID | Process | Filename | Type | |
---|---|---|---|---|
892 | db11e583944ddefc276fd302c0eecf39.exe | C:\Users\admin\AppData\Local\Temp\zgoqp.exe | executable | |
MD5:FBB51E866CC83F4D5C255D5C6494AC99 | SHA256:022AEB46CBF0FB7D446F7846A8B2EA3684D62DE7B7068F695A43428E410D6C07 | |||
892 | db11e583944ddefc276fd302c0eecf39.exe | C:\Users\admin\AppData\Local\Temp\nsf978E.tmp | binary | |
MD5:D00E5F2AC1D95785F36EF5E8D87A8FA4 | SHA256:490322A4DF248EF749348C3353943DB682CF0C2AB98C615B097FA8DD98EDC2F5 | |||
892 | db11e583944ddefc276fd302c0eecf39.exe | C:\Users\admin\AppData\Local\Temp\beujeu.oxz | binary | |
MD5:8317DA4368F4DDEAEB4A823BD6DCD2C6 | SHA256:FC5C555C516DFE2057EDDBFF5055D837BE131707566B2879E23C99D3A4B909FD | |||
4048 | zgoqp.exe | C:\Users\admin\AppData\Roaming\tdvtqndxxhl\kiflb.exe | executable | |
MD5:FBB51E866CC83F4D5C255D5C6494AC99 | SHA256:022AEB46CBF0FB7D446F7846A8B2EA3684D62DE7B7068F695A43428E410D6C07 | |||
892 | db11e583944ddefc276fd302c0eecf39.exe | C:\Users\admin\AppData\Local\Temp\kddzn.ful | binary | |
MD5:8B00AF25E4733D969D9E2432FC68F7DB | SHA256:5B5AD23FDE48EEFA5E559987F77A6277F529AA770E2E4FE57AC9873786EB8343 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
652 | zgoqp.exe | 185.219.80.143:6269 | baramac.duckdns.org | Zomro B.V. | NL | malicious |
Domain | IP | Reputation |
---|---|---|
baramac.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
652 | zgoqp.exe | A Network Trojan was detected | ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) |
652 | zgoqp.exe | A Network Trojan was detected | AV TROJAN Ave Maria RAT CnC Response |
652 | zgoqp.exe | A Network Trojan was detected | ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin |