File name: | ye.exe |
Full analysis: | https://app.any.run/tasks/a5ac975f-5171-48ff-9d84-240c0525e94c |
Verdict: | Malicious activity |
Threats: | WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2. |
Analysis date: | July 17, 2019, 17:09:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 7338B5BFEDCA98EC4FC567BF10726D0F |
SHA1: | D9FA5309DE66B6C6A9ED340080CCFBAA357A95E0 |
SHA256: | E67FDCCB5410647C06AE3F33AE976285B51E119EC904CAE768ED6392F5A5FBD6 |
SSDEEP: | 24576:bNA3R5drXTLPdKVjGe6PaxaQ1lrcltwA/tw+ww8FHDbeisNIfTKPWBcH:G5PlewPa3itwsn8x6IOPWBy |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x1d759 |
UninitializedDataSize: | - |
InitializedDataSize: | 138240 |
CodeSize: | 190976 |
LinkerVersion: | 14 |
PEType: | PE32 |
TimeStamp: | 2019:04:27 22:03:27+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 27-Apr-2019 20:03:27 |
Detected languages: |
|
Debug artifacts: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000110 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 27-Apr-2019 20:03:27 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0002E854 | 0x0002EA00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.69231 |
.rdata | 0x00030000 | 0x00009A9C | 0x00009C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.13286 |
.data | 0x0003A000 | 0x000213D0 | 0x00000C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.25381 |
.gfids | 0x0005C000 | 0x000000E8 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.11154 |
.rsrc | 0x0005D000 | 0x0001516C | 0x00015200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.79068 |
.reloc | 0x00073000 | 0x00001FCC | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.64554 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.25329 | 1875 | Latin 1 / Western European | English - United States | RT_MANIFEST |
7 | 3.1586 | 482 | Latin 1 / Western European | English - United States | RT_STRING |
8 | 3.11685 | 460 | Latin 1 / Western European | English - United States | RT_STRING |
9 | 3.15447 | 494 | Latin 1 / Western European | English - United States | RT_STRING |
10 | 2.99727 | 326 | Latin 1 / Western European | English - United States | RT_STRING |
11 | 3.2036 | 1094 | Latin 1 / Western European | English - United States | RT_STRING |
12 | 3.12889 | 358 | Latin 1 / Western European | English - United States | RT_STRING |
13 | 2.95673 | 288 | Latin 1 / Western European | English - United States | RT_STRING |
14 | 2.94627 | 266 | Latin 1 / Western European | English - United States | RT_STRING |
15 | 2.83619 | 188 | Latin 1 / Western European | English - United States | RT_STRING |
KERNEL32.dll |
USER32.dll (delay-loaded) |
gdiplus.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3524 | "C:\Users\admin\AppData\Local\Temp\ye.exe" | C:\Users\admin\AppData\Local\Temp\ye.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1476 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\43555320\wdg.vbs" | C:\Windows\System32\WScript.exe | — | ye.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2984 | "C:\Users\admin\AppData\Local\Temp\43555320\frq.exe" mca=vqw | C:\Users\admin\AppData\Local\Temp\43555320\frq.exe | — | WScript.exe |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 4 | ||||
1600 | C:\Users\admin\AppData\Local\Temp\43555320\frq.exe C:\Users\admin\AppData\Local\Temp\43555320\IBWTI | C:\Users\admin\AppData\Local\Temp\43555320\frq.exe | frq.exe | |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 4 | ||||
2076 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | frq.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Version: 4.7.3062.0 built by: NET472REL1 | ||||
1552 | "C:\Windows\System32\cmd.exe" | C:\Windows\System32\cmd.exe | RegSvcs.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2116 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3212 | "C:\Windows\system32\pkgmgr.exe" /n:%temp%\ellocnak.xml | C:\Windows\system32\pkgmgr.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Package Manager Exit code: 3221226540 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3552 | "C:\Windows\system32\pkgmgr.exe" /n:%temp%\ellocnak.xml | C:\Windows\system32\pkgmgr.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Package Manager Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3796 | "C:\Windows\system32\dism.exe" /online /norestart /apply-unattend:"C:\Users\admin\AppData\Local\Temp\ellocnak.xml" | C:\Windows\system32\dism.exe | — | pkgmgr.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Dism Image Servicing Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3524 | ye.exe | C:\Users\admin\AppData\Local\Temp\43555320\wdg.vbs | text | |
MD5:0BE243F6620271E916110C3CE5CF02E2 | SHA256:72105FCF240164C18FD8CFD63E22552DD56D818BF9FE0F43308837B2BB2C1087 | |||
3524 | ye.exe | C:\Users\admin\AppData\Local\Temp\43555320\fpb.bmp | text | |
MD5:D7CD30E73B7691AE28DD97D96A320BAA | SHA256:9B780D2B801880BB32CF3E134B4F976A6250B1BEFB2FA0A032845EB3DE393CB2 | |||
3524 | ye.exe | C:\Users\admin\AppData\Local\Temp\43555320\rjf.dat | text | |
MD5:68B02A22F15F9696CF450D04B808573E | SHA256:34887E7D9F4D86686CAB982342648801D8328665F55647221BC3CE292A6922EB | |||
3524 | ye.exe | C:\Users\admin\AppData\Local\Temp\43555320\qfd.pdf | text | |
MD5:0503FAAEC3D91BEB320866CC0DC996F2 | SHA256:79E87F0CB97EA1A84B77D49CA62275484AD6224511BA79E54DAFE499D8BEE7FD | |||
3524 | ye.exe | C:\Users\admin\AppData\Local\Temp\43555320\scg.bmp | text | |
MD5:0602C2F4B254A2376DF378D1AF74BA3B | SHA256:27CC615968AFBED10EEC4B746CB1CBB7484D9C040ED0934B074B73261ED652A4 | |||
3524 | ye.exe | C:\Users\admin\AppData\Local\Temp\43555320\hkc.bmp | text | |
MD5:6357C7368D80ECADF1E45DFC1B62BE2E | SHA256:F8B5B3F37DF2FEB8A4A7EB506D1E229431B504B301110FDB183777AE6EB8E587 | |||
3524 | ye.exe | C:\Users\admin\AppData\Local\Temp\43555320\gjg.mp4 | text | |
MD5:CF150A922A20C537CC8441BABEABE2FB | SHA256:052D85F1DE12C4B778ACF41E948FAB16C7406320CFCB6B9F0155DCB6DDD53865 | |||
3524 | ye.exe | C:\Users\admin\AppData\Local\Temp\43555320\cee.jpg | text | |
MD5:851B9FDF2A86816B55A28C411A141095 | SHA256:5ADA33BA8C6976EF9BBD9B0655A5CC95C441DAA8B6D47360150BDD0655392899 | |||
3524 | ye.exe | C:\Users\admin\AppData\Local\Temp\43555320\hjq.mp3 | text | |
MD5:18B153FEAD8045436442271DB0F94AE6 | SHA256:ED20D22C7CD98E1987F15586E1E8EB3201205CCA22DC79E2B9AE7B1E7C77202C | |||
3524 | ye.exe | C:\Users\admin\AppData\Local\Temp\43555320\xmk.mp3 | text | |
MD5:894D406801F44DEC2DB1D5D7F9B09ECE | SHA256:721722682DA7B4A8B6980F39B658CF1D45B4C25BDFF2917F0B2DD9D1F6676726 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2076 | RegSvcs.exe | 193.176.87.214:4070 | benzkartel.duckdns.org | — | — | unknown |
Domain | IP | Reputation |
---|---|---|
benzkartel.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |