File name: | Sample1.zip |
Full analysis: | https://app.any.run/tasks/a35addb5-e0d6-40f8-b4f0-3f5c88a95728 |
Verdict: | Malicious activity |
Threats: | WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2. |
Analysis date: | January 17, 2020, 22:35:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | E768C1F6CC44D3776AB9C9EE92C8C0D8 |
SHA1: | 906E04A33C4E081A8B83E877F25BBD158FCF0567 |
SHA256: | D7B1D3CFF374E29E166F0A03761F670FA4DB012E0894977C46F2336A4F56DCBB |
SSDEEP: | 6144:2bZ8E7CPsBxTddI/CdAtAb0aRnXiObpawayRElken8MBs3VVU6IyI:a8QCPsLTDWBQnXiiawpEke/C7U61I |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 788 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2020:01:17 22:34:21 |
ZipCRC: | 0xea270d8b |
ZipCompressedSize: | 332741 |
ZipUncompressedSize: | 450560 |
ZipFileName: | ec2981f40d6443c6bbc5addc60315b4caeaeadbba2217d97f2efff4ba27b6501.bin |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
4068 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Sample1.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3088 | "C:\Users\admin\Desktop\ayy.exe" | C:\Users\admin\Desktop\ayy.exe | explorer.exe | |
User: admin Company: enxzoli Integrity Level: MEDIUM Description: egiqmo Exit code: 0 Version: 2.6.81.71 | ||||
4100 | "C:\Users\admin\AppData\Roaming\Explorers\Explorers.exe" | C:\Users\admin\AppData\Roaming\Explorers\Explorers.exe | ayy.exe | |
User: admin Company: enxzoli Integrity Level: MEDIUM Description: egiqmo Exit code: 0 Version: 2.6.81.71 | ||||
7656 | "C:\Users\admin\AppData\Roaming\Explorers\Explorers.exe" | C:\Users\admin\AppData\Roaming\Explorers\Explorers.exe | Explorers.exe | |
User: admin Company: enxzoli Integrity Level: MEDIUM Description: egiqmo Version: 2.6.81.71 | ||||
8856 | "C:\Users\admin\AppData\Roaming\Explorers\WHost.exe" | C:\Users\admin\AppData\Roaming\Explorers\WHost.exe | Explorers.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
10636 | "C:\Users\admin\AppData\Roaming\Explorers.exe" | C:\Users\admin\AppData\Roaming\Explorers.exe | WHost.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
11548 | "C:\Windows\System32\cmd.exe" | C:\Windows\System32\cmd.exe | Explorers.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
5788 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
6572 | "C:\Windows\system32\pkgmgr.exe" /n:%temp%\ellocnak.xml | C:\Windows\system32\pkgmgr.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Package Manager Exit code: 3221226540 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
8604 | "C:\Windows\system32\pkgmgr.exe" /n:%temp%\ellocnak.xml | C:\Windows\system32\pkgmgr.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Package Manager Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
4068 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\__rzi_4068.3981 | — | |
MD5:— | SHA256:— | |||
4068 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb4068.4181\ayy.exe | — | |
MD5:— | SHA256:— | |||
7656 | Explorers.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat | text | |
MD5:5BE9B7DDD5D449FD6D661EEB041BFF85 | SHA256:98EE742B0F1DE95E250F2B4310307322996023C1A3C8147B88A6EC73A9A72B56 | |||
4100 | Explorers.exe | C:\Users\admin\AppData\Roaming\Explorers\WHost.exe | executable | |
MD5:1D9481AB1112DDDA360168AE3C63378A | SHA256:3141A5501C9A993383A54B476C4D2250452AC71DA6381124F94C988138205E6C | |||
3088 | ayy.exe | C:\Users\admin\AppData\Roaming\Explorers\Explorers.exe | executable | |
MD5:786D532AC7B47B8A1CC7D08EA0DC772C | SHA256:EC2981F40D6443C6BBC5ADDC60315B4CAEAEADBBA2217D97F2EFFF4BA27B6501 | |||
8856 | WHost.exe | C:\Users\admin\AppData\Roaming\Explorers.exe | executable | |
MD5:1D9481AB1112DDDA360168AE3C63378A | SHA256:3141A5501C9A993383A54B476C4D2250452AC71DA6381124F94C988138205E6C | |||
4100 | Explorers.exe | C:\Users\admin\AppData\Roaming\Explorers\egiqmo.url | text | |
MD5:32B6B0AA07E967C08F5C2BD6E5F9AAF9 | SHA256:A4373852657385D65290E7A1BBD72EB33A26442683A16809AC5201C25F45921D | |||
4068 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Sample1.zip | compressed | |
MD5:C0A298D1FBFE835A3FED7BC6BF584731 | SHA256:716421E00604D121BAACEFCB1EA4D5F39BC911C9125C6222678695D20AE71906 | |||
7656 | Explorers.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe | executable | |
MD5:786D532AC7B47B8A1CC7D08EA0DC772C | SHA256:EC2981F40D6443C6BBC5ADDC60315B4CAEAEADBBA2217D97F2EFFF4BA27B6501 | |||
11548 | cmd.exe | C:\Users\admin\AppData\Local\Temp\dismcore.dll | executable | |
MD5:6B906764A35508A7FD266CDD512E46B1 | SHA256:FC0C90044B94B080F307C16494369A0796AC1D4E74E7912BA79C15CCA241801C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
9504 | Explorers.exe | GET | — | 146.185.195.20:80 | http://146.185.195.20/upnp.exe | RU | — | — | malicious |
9504 | Explorers.exe | GET | — | 146.185.195.20:80 | http://146.185.195.20/upnp.exe | RU | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
7656 | Explorers.exe | 105.112.117.70:55190 | rubenbakerr.ddns.net | — | NG | unknown |
10636 | Explorers.exe | 149.202.110.30:18982 | meki.duckdns.org | OVH SAS | FR | malicious |
9504 | Explorers.exe | 149.202.110.30:18982 | meki.duckdns.org | OVH SAS | FR | malicious |
9504 | Explorers.exe | 146.185.195.20:80 | — | Petersburg Internet Network ltd. | RU | malicious |
7656 | Explorers.exe | 185.165.153.162:55190 | — | — | NL | unknown |
Domain | IP | Reputation |
---|---|---|
www.google.com |
| whitelisted |
rubenbakerr.ddns.net |
| malicious |
meki.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.ddns .net |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
10636 | Explorers.exe | A Network Trojan was detected | AV TROJAN Ave Maria RAT CnC Response |
10636 | Explorers.exe | A Network Trojan was detected | MALWARE [PTsecurity] AveMaria.RAT Encrypted Checkin |
10636 | Explorers.exe | A Network Trojan was detected | MALWARE [PTsecurity] AveMaria.RAT Connection |
9504 | Explorers.exe | A Network Trojan was detected | AV TROJAN Ave Maria RAT CnC Response |
9504 | Explorers.exe | A Network Trojan was detected | MALWARE [PTsecurity] AveMaria.RAT Encrypted Checkin |
— | — | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.ddns .net |
— | — | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.ddns .net |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |