File name: | c6e161181e3f246471f546f84655f3de28e86860db5c449293a56efc17024aac.exe |
Full analysis: | https://app.any.run/tasks/564d830a-9540-45db-bcca-9049ce4e809b |
Verdict: | Malicious activity |
Threats: | WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2. |
Analysis date: | August 01, 2022, 11:59:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | D934BC77B8157ECE0A3BBEC1527CEE9B |
SHA1: | 841017A8D48040F1E0D593608C2506007EA9F997 |
SHA256: | C6E161181E3F246471F546F84655F3DE28E86860DB5C449293A56EFC17024AAC |
SSDEEP: | 3072:4NLOpnhTdOw9YAJOzIY9gVl01T2ENipdDg0z5:4NLYdT97JSIFl0QENqF |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2020:08:26 07:00:34+02:00 |
PEType: | PE32 |
LinkerVersion: | 14.16 |
CodeSize: | 86528 |
InitializedDataSize: | 1331200 |
UninitializedDataSize: | - |
EntryPoint: | 0x5e28 |
OSVersion: | 5.1 |
ImageVersion: | - |
SubsystemVersion: | 5.1 |
Subsystem: | Windows GUI |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 26-Aug-2020 05:00:34 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 26-Aug-2020 05:00:34 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00015077 | 0x00015200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.5119 |
.rdata | 0x00017000 | 0x00004E7C | 0x00005000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.88004 |
.data | 0x0001C000 | 0x0013EDD0 | 0x0000A800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.39582 |
.reloc | 0x0015B000 | 0x000011E0 | 0x00001200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.74085 |
.bss | 0x0015D000 | 0x00001000 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.38432 |
ADVAPI32.dll |
CRYPT32.dll |
KERNEL32.dll |
NETAPI32.dll |
OLEAUT32.dll |
PSAPI.DLL |
SHELL32.dll |
SHLWAPI.dll |
USER32.dll |
WS2_32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3120 | "C:\Users\admin\AppData\Local\Temp\c6e161181e3f246471f546f84655f3de28e86860db5c449293a56efc17024aac.exe" | C:\Users\admin\AppData\Local\Temp\c6e161181e3f246471f546f84655f3de28e86860db5c449293a56efc17024aac.exe | Explorer.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3588 | cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\Users\admin\AppData\Roaming\images.exe" | C:\Windows\system32\cmd.exe | — | c6e161181e3f246471f546f84655f3de28e86860db5c449293a56efc17024aac.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3380 | "C:\Users\admin\AppData\Roaming\images.exe" | C:\Users\admin\AppData\Roaming\images.exe | c6e161181e3f246471f546f84655f3de28e86860db5c449293a56efc17024aac.exe | |
User: admin Integrity Level: MEDIUM WarZone(PID) Process(3380) images.exe C2 (1)toomuchego.ydns.eu:5200 BuildIDCQT1DXPICPGTH Options Install FlagTrue Install nameimages.exe Startup FlagTrue Startup nameImages Reverse Proxy local port5000 Offline logTrue PersistanceTrue UAC bypassFalse Defender bypassFalse Use ADSFalse | ||||
1808 | REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\Users\admin\AppData\Roaming\images.exe" | C:\Windows\system32\reg.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1344 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3120) c6e161181e3f246471f546f84655f3de28e86860db5c449293a56efc17024aac.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | MaxConnectionsPer1_0Server |
Value: 10 | |||
(PID) Process: | (3120) c6e161181e3f246471f546f84655f3de28e86860db5c449293a56efc17024aac.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | MaxConnectionsPerServer |
Value: 10 | |||
(PID) Process: | (3120) c6e161181e3f246471f546f84655f3de28e86860db5c449293a56efc17024aac.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CQT1DXPICPGTH |
Operation: | write | Name: | inst |
Value: 643A1183402656C7E551554CED6ECD1655219376532CD64E82E28CC72420D1D6BC884B33A83E36420E1B1786C22DE9065535B5AA5A9FE71A3492590773FEB8C86CDF99EBBFF94FE63A797951D82D1D9F0DA57719 | |||
(PID) Process: | (1808) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows |
Operation: | write | Name: | Load |
Value: C:\Users\admin\AppData\Roaming\images.exe | |||
(PID) Process: | (3380) images.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | MaxConnectionsPer1_0Server |
Value: 10 | |||
(PID) Process: | (3380) images.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | MaxConnectionsPerServer |
Value: 10 | |||
(PID) Process: | (1344) Explorer.EXE | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US |
PID | Process | Filename | Type | |
---|---|---|---|---|
3120 | c6e161181e3f246471f546f84655f3de28e86860db5c449293a56efc17024aac.exe | C:\Users\admin\AppData\Roaming\images.exe | executable | |
MD5:D934BC77B8157ECE0A3BBEC1527CEE9B | SHA256:C6E161181E3F246471F546F84655F3DE28E86860DB5C449293A56EFC17024AAC | |||
3380 | images.exe | C:\Users\admin\AppData\Roaming\cj.GtlJ.tmp | sqlite | |
MD5:CC104C4E4E904C3AD7AD5C45FBFA7087 | SHA256:321BE844CECC903EF1E7F875B729C96BB3ED0D4986314384CD5944A29A670C9B | |||
3380 | images.exe | C:\Users\admin\AppData\Roaming\ixqsJba.tmp | text | |
MD5:736F7579F0521DAF5695CD8A3B3CDA6A | SHA256:10A24B1012BEF30456C31ABB66DF14CE66BAAA78C450A87E3E647A9E44E31E8E | |||
3380 | images.exe | C:\Users\admin\AppData\Roaming\utCammw.tmp | text | |
MD5:E7CE898AADD69F4E4280010B7808116E | SHA256:C9214BB54F10242AA254F0758372A440C8D8F49934021F8F08B6DF9FB377EB02 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3380 | images.exe | 109.206.241.246:5200 | toomuchego.ydns.eu | — | — | malicious |
Domain | IP | Reputation |
---|---|---|
toomuchego.ydns.eu |
| malicious |