File name: | Sample1.zip |
Full analysis: | https://app.any.run/tasks/35133008-5c55-4dcd-9104-b9f16cf6c85c |
Verdict: | Malicious activity |
Threats: | WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2. |
Analysis date: | January 18, 2020, 01:16:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | E768C1F6CC44D3776AB9C9EE92C8C0D8 |
SHA1: | 906E04A33C4E081A8B83E877F25BBD158FCF0567 |
SHA256: | D7B1D3CFF374E29E166F0A03761F670FA4DB012E0894977C46F2336A4F56DCBB |
SSDEEP: | 6144:2bZ8E7CPsBxTddI/CdAtAb0aRnXiObpawayRElken8MBs3VVU6IyI:a8QCPsLTDWBQnXiiawpEke/C7U61I |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | ec2981f40d6443c6bbc5addc60315b4caeaeadbba2217d97f2efff4ba27b6501.bin |
---|---|
ZipUncompressedSize: | 450560 |
ZipCompressedSize: | 332741 |
ZipCRC: | 0xea270d8b |
ZipModifyDate: | 2020:01:17 22:34:21 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 788 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1752 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Sample1.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1648 | "C:\Users\admin\Desktop\yeet.exe" | C:\Users\admin\Desktop\yeet.exe | explorer.exe | |
User: admin Company: enxzoli Integrity Level: HIGH Description: egiqmo Exit code: 0 Version: 2.6.81.71 | ||||
11744 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4924 | "C:\Users\admin\AppData\Roaming\Explorers\Explorers.exe" | C:\Users\admin\AppData\Roaming\Explorers\Explorers.exe | yeet.exe | |
User: admin Company: enxzoli Integrity Level: HIGH Description: egiqmo Version: 2.6.81.71 | ||||
7984 | "C:\Users\admin\AppData\Roaming\Explorers\Explorers.exe" | C:\Users\admin\AppData\Roaming\Explorers\Explorers.exe | Explorers.exe | |
User: admin Company: enxzoli Integrity Level: HIGH Description: egiqmo Version: 2.6.81.71 | ||||
9312 | "C:\Users\admin\AppData\Roaming\Explorers\WHost.exe" | C:\Users\admin\AppData\Roaming\Explorers\WHost.exe | Explorers.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
10204 | "schtasks.exe" /create /f /tn "TCP Monitor" /xml "C:\Users\admin\AppData\Local\Temp\tmp5ECF.tmp" | C:\Windows\system32\schtasks.exe | — | Explorers.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
11200 | "schtasks.exe" /create /f /tn "TCP Monitor Task" /xml "C:\Users\admin\AppData\Local\Temp\tmp5F3D.tmp" | C:\Windows\system32\schtasks.exe | — | Explorers.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2484 | "C:\ProgramData\Explorers.exe" | C:\ProgramData\Explorers.exe | WHost.exe | |
User: admin Integrity Level: HIGH |
PID | Process | Filename | Type | |
---|---|---|---|---|
1752 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1752.20604\ec2981f40d6443c6bbc5addc60315b4caeaeadbba2217d97f2efff4ba27b6501.bin | — | |
MD5:— | SHA256:— | |||
7984 | Explorers.exe | C:\Users\admin\AppData\Local\Temp\tmp5ECF.tmp | — | |
MD5:— | SHA256:— | |||
1648 | yeet.exe | C:\Users\admin\AppData\Roaming\Explorers\Explorers.exe | executable | |
MD5:786D532AC7B47B8A1CC7D08EA0DC772C | SHA256:EC2981F40D6443C6BBC5ADDC60315B4CAEAEADBBA2217D97F2EFFF4BA27B6501 | |||
4924 | Explorers.exe | C:\Users\admin\AppData\Roaming\Explorers\egiqmo.url | text | |
MD5:32B6B0AA07E967C08F5C2BD6E5F9AAF9 | SHA256:A4373852657385D65290E7A1BBD72EB33A26442683A16809AC5201C25F45921D | |||
7984 | Explorers.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat | binary | |
MD5:2F0150D3FB7706702902454075D09453 | SHA256:277FBF8E0E0921515998268A041B3B07AE67E7A7901D7430CF1AE66B7D794884 | |||
7984 | Explorers.exe | C:\Program Files\TCP Monitor\tcpmon.exe | executable | |
MD5:786D532AC7B47B8A1CC7D08EA0DC772C | SHA256:EC2981F40D6443C6BBC5ADDC60315B4CAEAEADBBA2217D97F2EFFF4BA27B6501 | |||
7984 | Explorers.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\task.dat | text | |
MD5:6191C3E7B5909A9DDE044D79D11EE4B3 | SHA256:CBB00D4326C6D34FE891F87600F22187D4008A5F7074592ACB0670D27E829CBF | |||
4924 | Explorers.exe | C:\Users\admin\AppData\Roaming\Explorers\WHost.exe | executable | |
MD5:1D9481AB1112DDDA360168AE3C63378A | SHA256:3141A5501C9A993383A54B476C4D2250452AC71DA6381124F94C988138205E6C | |||
7984 | Explorers.exe | C:\Users\admin\AppData\Local\Temp\tmp5F3D.tmp | xml | |
MD5:E4118E3EC98934AA1D4235C87B44AA31 | SHA256:EFC475D73603DF6A26978D7BCAC27004830137E97FDD1656140B4A08C07470D9 | |||
9312 | WHost.exe | C:\ProgramData\Explorers.exe | executable | |
MD5:1D9481AB1112DDDA360168AE3C63378A | SHA256:3141A5501C9A993383A54B476C4D2250452AC71DA6381124F94C988138205E6C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2484 | Explorers.exe | GET | — | 146.185.195.20:80 | http://146.185.195.20/upnp.exe | RU | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2484 | Explorers.exe | 149.202.110.30:18982 | meki.duckdns.org | OVH SAS | FR | malicious |
2484 | Explorers.exe | 146.185.195.20:80 | — | Petersburg Internet Network ltd. | RU | malicious |
7984 | Explorers.exe | 105.112.117.70:55190 | rubenbakerr.ddns.net | — | NG | unknown |
Domain | IP | Reputation |
---|---|---|
www.google.com |
| whitelisted |
rubenbakerr.ddns.net |
| malicious |
meki.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.ddns .net |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
2484 | Explorers.exe | A Network Trojan was detected | AV TROJAN Ave Maria RAT CnC Response |
2484 | Explorers.exe | A Network Trojan was detected | MALWARE [PTsecurity] AveMaria.RAT Encrypted Checkin |