File name: | 9.z |
Full analysis: | https://app.any.run/tasks/4e473207-f39e-48ee-afc9-d9038267896d |
Verdict: | Malicious activity |
Threats: | WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2. |
Analysis date: | August 13, 2019, 12:55:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-lzh-compressed |
File info: | LHa (2.x) archive data [lh5], with "New Order AUGST (GD-2607019)_Docx.scr" |
MD5: | 9639E3561745563F1082ECCEAFB16FA1 |
SHA1: | 6553F44B58002400D5C00492E009B9F3D1D8EBC9 |
SHA256: | 8C4EF0EA5EEB5C1F43EA929ED187EE7D9A435DD85BBEE9F43198A9F3F4FB1DC7 |
SSDEEP: | 6144:TG1DITLyz/LyOvoSFlNMVIalis0GZwGya66lv:mc8zFllNM7PZNy10v |
.lzh/lha | | | LHARC/LZARK compressed archive (generic) (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2612 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\9.z.lzh" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
4008 | "C:\Users\admin\Desktop\New Order AUGST (GD-2607019)_Docx.scr" /S | C:\Users\admin\Desktop\New Order AUGST (GD-2607019)_Docx.scr | explorer.exe | |
User: admin Company: Valve Corporation Integrity Level: MEDIUM Description: gameoverlayui.exe Version: 05.05.99.96 | ||||
1208 | "C:\Users\admin\Desktop\New Order AUGST (GD-2607019)_Docx.scr" | C:\Users\admin\Desktop\New Order AUGST (GD-2607019)_Docx.scr | New Order AUGST (GD-2607019)_Docx.scr | |
User: admin Company: Valve Corporation Integrity Level: MEDIUM Description: gameoverlayui.exe Exit code: 3221225477 Version: 05.05.99.96 | ||||
956 | "C:\Users\admin\Desktop\New Order AUGST (GD-2607019)_Docx.scr" | C:\Users\admin\Desktop\New Order AUGST (GD-2607019)_Docx.scr | New Order AUGST (GD-2607019)_Docx.scr | |
User: admin Company: Valve Corporation Integrity Level: MEDIUM Description: gameoverlayui.exe Exit code: 3221225477 Version: 05.05.99.96 | ||||
3728 | "C:\Users\admin\Desktop\New Order AUGST (GD-2607019)_Docx.scr" | C:\Users\admin\Desktop\New Order AUGST (GD-2607019)_Docx.scr | New Order AUGST (GD-2607019)_Docx.scr | |
User: admin Company: Valve Corporation Integrity Level: MEDIUM Description: gameoverlayui.exe Exit code: 3221225477 Version: 05.05.99.96 | ||||
3588 | "C:\Users\admin\Desktop\New Order AUGST (GD-2607019)_Docx.scr" | C:\Users\admin\Desktop\New Order AUGST (GD-2607019)_Docx.scr | New Order AUGST (GD-2607019)_Docx.scr | |
User: admin Company: Valve Corporation Integrity Level: MEDIUM Description: gameoverlayui.exe Exit code: 3221225477 Version: 05.05.99.96 | ||||
2736 | "C:\Users\admin\Desktop\New Order AUGST (GD-2607019)_Docx.scr" | C:\Users\admin\Desktop\New Order AUGST (GD-2607019)_Docx.scr | New Order AUGST (GD-2607019)_Docx.scr | |
User: admin Company: Valve Corporation Integrity Level: MEDIUM Description: gameoverlayui.exe Version: 05.05.99.96 |
(PID) Process: | (2612) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2612) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2612) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2612) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\9.z.lzh | |||
(PID) Process: | (2612) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2612) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2612) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2612) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2612) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
Operation: | write | Name: | @shell32,-10162 |
Value: Screen saver | |||
(PID) Process: | (1208) New Order AUGST (GD-2607019)_Docx.scr | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | MaxConnectionsPer1_0Server |
Value: 10 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2612 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2612.44564\New Order AUGST (GD-2607019)_Docx.scr | — | |
MD5:— | SHA256:— |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1208 | New Order AUGST (GD-2607019)_Docx.scr | 79.134.225.39:2134 | ndubaba45.warzonedns.com | Andreas Fink trading as Fink Telecom Services | CH | malicious |
2736 | New Order AUGST (GD-2607019)_Docx.scr | 79.134.225.39:2134 | ndubaba45.warzonedns.com | Andreas Fink trading as Fink Telecom Services | CH | malicious |
956 | New Order AUGST (GD-2607019)_Docx.scr | 79.134.225.39:2134 | ndubaba45.warzonedns.com | Andreas Fink trading as Fink Telecom Services | CH | malicious |
3728 | New Order AUGST (GD-2607019)_Docx.scr | 79.134.225.39:2134 | ndubaba45.warzonedns.com | Andreas Fink trading as Fink Telecom Services | CH | malicious |
3588 | New Order AUGST (GD-2607019)_Docx.scr | 79.134.225.39:2134 | ndubaba45.warzonedns.com | Andreas Fink trading as Fink Telecom Services | CH | malicious |
Domain | IP | Reputation |
---|---|---|
ndubaba45.warzonedns.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1208 | New Order AUGST (GD-2607019)_Docx.scr | A Network Trojan was detected | MALWARE [PTsecurity] AveMaria.RAT Encrypted Checkin |
956 | New Order AUGST (GD-2607019)_Docx.scr | A Network Trojan was detected | MALWARE [PTsecurity] AveMaria.RAT Encrypted Checkin |
3728 | New Order AUGST (GD-2607019)_Docx.scr | A Network Trojan was detected | MALWARE [PTsecurity] AveMaria.RAT Encrypted Checkin |
3588 | New Order AUGST (GD-2607019)_Docx.scr | A Network Trojan was detected | MALWARE [PTsecurity] AveMaria.RAT Encrypted Checkin |
2736 | New Order AUGST (GD-2607019)_Docx.scr | A Network Trojan was detected | MALWARE [PTsecurity] AveMaria.RAT Encrypted Checkin |
Process | Message |
---|---|
New Order AUGST (GD-2607019)_Docx.scr |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
New Order AUGST (GD-2607019)_Docx.scr |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
New Order AUGST (GD-2607019)_Docx.scr |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
New Order AUGST (GD-2607019)_Docx.scr |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
New Order AUGST (GD-2607019)_Docx.scr |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
New Order AUGST (GD-2607019)_Docx.scr |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
New Order AUGST (GD-2607019)_Docx.scr |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
New Order AUGST (GD-2607019)_Docx.scr |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
New Order AUGST (GD-2607019)_Docx.scr |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
New Order AUGST (GD-2607019)_Docx.scr |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|