ScreenShot
| Created | 2021.08.15 13:01 | Machine | s1_win7_x6402 |
| Filename | warzone.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 56 detected (FamVT, BuerakMO, Agentb, tret, malicious, high confidence, Maria, DeepScan, SLlg, MocrtRI, S11879567, WarzoneRAT, FCNI, Unsafe, Save, confidence, 100%, Antiav, INDT, Avecma, jiad, fljpfv, AveMaria, CLASSIC, R + Troj, Mocrt, VA@81mmki, Redcap, ghjpt, ai score=89, ASMalwS, KVMH017, kcloud, Remcos, score, R263895, BScope, Gencirc, GenAsa, ++8lN4UW0KE, Static AI, Malicious PE, Genetic, HxQBREcA) | ||
| md5 | 2c088bc2980ba15e3500f929a7d13019 | ||
| sha256 | 284fe4243b097f48a25331d564e74fa79e02664470092dd6491e20e00c578a1f | ||
| ssdeep | 1536:5Csejmb+6BQyusX1UjtA0uWRf/eloc/9T1jVEyp:AtD6jSm0uWRfCogTjVEG | ||
| imphash | b76aafdc988ade2ab3db3b02fa4c6d00 | ||
| impfuzzy | 96:qw8R4pAnscp+lsGDePCDR2HYKPQSPKnPEjC59/I9Up8:qyAnSePCDR2HzPlaPtp8 | ||
Network IP location
Signature (5cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 56 AntiVirus engines on VirusTotal as malicious |
| notice | Foreign language identified in PE resource |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| info | Checks amount of memory in system |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Ave_Maria_Zero | Remote Access Trojan that is also called WARZONE RAT | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (0cnts) ?
| Request | CC | ASN Co | IP4 | Rule ? | ZERO ? |
|---|
Suricata ids
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x41207c GetProcAddress
0x412080 ExitProcess
0x412084 GetCommandLineA
0x412088 GetStartupInfoA
0x41208c HeapFree
0x412090 VirtualFree
0x412094 VirtualAlloc
0x412098 HeapReAlloc
0x41209c VirtualQuery
0x4120a0 TerminateThread
0x4120a4 CreateThread
0x4120a8 WriteFile
0x4120ac CreateFileW
0x4120b0 LoadLibraryW
0x4120b4 GetLocalTime
0x4120b8 GetCurrentThreadId
0x4120bc GetCurrentProcessId
0x4120c0 ReadFile
0x4120c4 FindFirstFileA
0x4120c8 GetBinaryTypeW
0x4120cc FindNextFileA
0x4120d0 GetFullPathNameA
0x4120d4 GetTempPathW
0x4120d8 GetPrivateProfileStringW
0x4120dc CreateFileA
0x4120e0 GlobalAlloc
0x4120e4 GetCurrentDirectoryW
0x4120e8 SetCurrentDirectoryW
0x4120ec LocalFree
0x4120f0 GetFileSize
0x4120f4 FreeLibrary
0x4120f8 WaitForSingleObject
0x4120fc GetCurrentProcess
0x412100 WaitForMultipleObjects
0x412104 CreatePipe
0x412108 PeekNamedPipe
0x41210c DuplicateHandle
0x412110 Sleep
0x412114 CreateProcessW
0x412118 CreateEventA
0x41211c GetModuleFileNameW
0x412120 LoadResource
0x412124 FindResourceW
0x412128 LoadLibraryA
0x41212c LoadLibraryExW
0x412130 FindFirstFileW
0x412134 FindNextFileW
0x412138 SetFilePointer
0x41213c GetLogicalDriveStringsW
0x412140 DeleteFileW
0x412144 CopyFileW
0x412148 GetDriveTypeW
0x41214c EnterCriticalSection
0x412150 LeaveCriticalSection
0x412154 InitializeCriticalSection
0x412158 DeleteCriticalSection
0x41215c CreateMutexA
0x412160 ReleaseMutex
0x412164 TerminateProcess
0x412168 OpenProcess
0x41216c CreateToolhelp32Snapshot
0x412170 Process32NextW
0x412174 lstrcmpW
0x412178 VirtualProtectEx
0x41217c CreateProcessA
0x412180 SizeofResource
0x412184 VirtualProtect
0x412188 LockResource
0x41218c GetWindowsDirectoryW
0x412190 Process32First
0x412194 WriteProcessMemory
0x412198 Process32Next
0x41219c GetWindowsDirectoryA
0x4121a0 VirtualAllocEx
0x4121a4 CreateRemoteThread
0x4121a8 IsWow64Process
0x4121ac GetTempPathA
0x4121b0 GetTickCount
0x4121b4 lstrcpyW
0x4121b8 WideCharToMultiByte
0x4121bc lstrcpyA
0x4121c0 MultiByteToWideChar
0x4121c4 lstrcatA
0x4121c8 GetProcessHeap
0x4121cc HeapAlloc
0x4121d0 GetComputerNameW
0x4121d4 lstrcmpA
0x4121d8 lstrlenA
0x4121dc ExpandEnvironmentStringsW
0x4121e0 lstrlenW
0x4121e4 CloseHandle
0x4121e8 lstrcatW
0x4121ec GetLastError
0x4121f0 GetModuleHandleA
0x4121f4 SetLastError
0x4121f8 GetModuleFileNameA
0x4121fc CreateDirectoryW
0x412200 SetEvent
0x412204 Process32FirstW
USER32.dll
0x412264 MessageBoxA
0x412268 GetKeyState
0x41226c GetMessageA
0x412270 DispatchMessageA
0x412274 CreateWindowExW
0x412278 CallNextHookEx
0x41227c GetAsyncKeyState
0x412280 SetWindowsHookExA
0x412284 RegisterClassW
0x412288 GetRawInputData
0x41228c MapVirtualKeyA
0x412290 GetForegroundWindow
0x412294 DefWindowProcA
0x412298 RegisterRawInputDevices
0x41229c GetLastInputInfo
0x4122a0 ToUnicode
0x4122a4 GetKeyNameTextW
0x4122a8 PostQuitMessage
0x4122ac GetWindowTextW
0x4122b0 TranslateMessage
0x4122b4 wsprintfA
0x4122b8 wsprintfW
ADVAPI32.dll
0x412000 FreeSid
0x412004 LookupAccountSidW
0x412008 GetTokenInformation
0x41200c CloseServiceHandle
0x412010 OpenSCManagerW
0x412014 RegCreateKeyExA
0x412018 RegSetValueExW
0x41201c StartServiceW
0x412020 EnumServicesStatusExW
0x412024 RegSetValueExA
0x412028 RegCreateKeyExW
0x41202c RegDeleteKeyW
0x412030 LookupPrivilegeValueW
0x412034 AdjustTokenPrivileges
0x412038 AllocateAndInitializeSid
0x41203c OpenProcessToken
0x412040 RegQueryValueExW
0x412044 RegOpenKeyExW
0x412048 RegOpenKeyExA
0x41204c RegEnumKeyExW
0x412050 RegQueryValueExA
0x412054 RegQueryInfoKeyW
0x412058 RegCloseKey
0x41205c OpenServiceW
0x412060 ChangeServiceConfigW
0x412064 QueryServiceConfigW
0x412068 RegDeleteValueW
SHELL32.dll
0x412228 SHGetSpecialFolderPathW
0x41222c SHCreateDirectoryExW
0x412230 SHGetFolderPathW
0x412234 ShellExecuteW
0x412238 None
0x41223c ShellExecuteExA
urlmon.dll
0x412334 URLDownloadToFileW
WS2_32.dll
0x4122dc freeaddrinfo
0x4122e0 htons
0x4122e4 recv
0x4122e8 connect
0x4122ec socket
0x4122f0 send
0x4122f4 WSAStartup
0x4122f8 getaddrinfo
0x4122fc shutdown
0x412300 closesocket
0x412304 WSACleanup
0x412308 ioctlsocket
0x41230c ntohs
0x412310 gethostbyname
0x412314 inet_addr
0x412318 setsockopt
ole32.dll
0x412320 CoCreateInstance
0x412324 CoUninitialize
0x412328 CoInitialize
0x41232c CoTaskMemFree
SHLWAPI.dll
0x412244 StrStrW
0x412248 PathRemoveFileSpecA
0x41224c StrStrA
0x412250 PathCombineA
0x412254 PathFindFileNameW
0x412258 PathFindExtensionW
0x41225c PathFileExistsW
NETAPI32.dll
0x41220c NetLocalGroupAddMembers
0x412210 NetUserAdd
OLEAUT32.dll
0x412218 VariantInit
CRYPT32.dll
0x412070 CryptStringToBinaryA
0x412074 CryptUnprotectData
PSAPI.DLL
0x412220 GetModuleFileNameExW
WININET.dll
0x4122c0 InternetQueryDataAvailable
0x4122c4 InternetOpenUrlW
0x4122c8 InternetOpenW
0x4122cc InternetCloseHandle
0x4122d0 InternetReadFile
0x4122d4 InternetCheckConnectionW
EAT(Export Address Table) is none
KERNEL32.dll
0x41207c GetProcAddress
0x412080 ExitProcess
0x412084 GetCommandLineA
0x412088 GetStartupInfoA
0x41208c HeapFree
0x412090 VirtualFree
0x412094 VirtualAlloc
0x412098 HeapReAlloc
0x41209c VirtualQuery
0x4120a0 TerminateThread
0x4120a4 CreateThread
0x4120a8 WriteFile
0x4120ac CreateFileW
0x4120b0 LoadLibraryW
0x4120b4 GetLocalTime
0x4120b8 GetCurrentThreadId
0x4120bc GetCurrentProcessId
0x4120c0 ReadFile
0x4120c4 FindFirstFileA
0x4120c8 GetBinaryTypeW
0x4120cc FindNextFileA
0x4120d0 GetFullPathNameA
0x4120d4 GetTempPathW
0x4120d8 GetPrivateProfileStringW
0x4120dc CreateFileA
0x4120e0 GlobalAlloc
0x4120e4 GetCurrentDirectoryW
0x4120e8 SetCurrentDirectoryW
0x4120ec LocalFree
0x4120f0 GetFileSize
0x4120f4 FreeLibrary
0x4120f8 WaitForSingleObject
0x4120fc GetCurrentProcess
0x412100 WaitForMultipleObjects
0x412104 CreatePipe
0x412108 PeekNamedPipe
0x41210c DuplicateHandle
0x412110 Sleep
0x412114 CreateProcessW
0x412118 CreateEventA
0x41211c GetModuleFileNameW
0x412120 LoadResource
0x412124 FindResourceW
0x412128 LoadLibraryA
0x41212c LoadLibraryExW
0x412130 FindFirstFileW
0x412134 FindNextFileW
0x412138 SetFilePointer
0x41213c GetLogicalDriveStringsW
0x412140 DeleteFileW
0x412144 CopyFileW
0x412148 GetDriveTypeW
0x41214c EnterCriticalSection
0x412150 LeaveCriticalSection
0x412154 InitializeCriticalSection
0x412158 DeleteCriticalSection
0x41215c CreateMutexA
0x412160 ReleaseMutex
0x412164 TerminateProcess
0x412168 OpenProcess
0x41216c CreateToolhelp32Snapshot
0x412170 Process32NextW
0x412174 lstrcmpW
0x412178 VirtualProtectEx
0x41217c CreateProcessA
0x412180 SizeofResource
0x412184 VirtualProtect
0x412188 LockResource
0x41218c GetWindowsDirectoryW
0x412190 Process32First
0x412194 WriteProcessMemory
0x412198 Process32Next
0x41219c GetWindowsDirectoryA
0x4121a0 VirtualAllocEx
0x4121a4 CreateRemoteThread
0x4121a8 IsWow64Process
0x4121ac GetTempPathA
0x4121b0 GetTickCount
0x4121b4 lstrcpyW
0x4121b8 WideCharToMultiByte
0x4121bc lstrcpyA
0x4121c0 MultiByteToWideChar
0x4121c4 lstrcatA
0x4121c8 GetProcessHeap
0x4121cc HeapAlloc
0x4121d0 GetComputerNameW
0x4121d4 lstrcmpA
0x4121d8 lstrlenA
0x4121dc ExpandEnvironmentStringsW
0x4121e0 lstrlenW
0x4121e4 CloseHandle
0x4121e8 lstrcatW
0x4121ec GetLastError
0x4121f0 GetModuleHandleA
0x4121f4 SetLastError
0x4121f8 GetModuleFileNameA
0x4121fc CreateDirectoryW
0x412200 SetEvent
0x412204 Process32FirstW
USER32.dll
0x412264 MessageBoxA
0x412268 GetKeyState
0x41226c GetMessageA
0x412270 DispatchMessageA
0x412274 CreateWindowExW
0x412278 CallNextHookEx
0x41227c GetAsyncKeyState
0x412280 SetWindowsHookExA
0x412284 RegisterClassW
0x412288 GetRawInputData
0x41228c MapVirtualKeyA
0x412290 GetForegroundWindow
0x412294 DefWindowProcA
0x412298 RegisterRawInputDevices
0x41229c GetLastInputInfo
0x4122a0 ToUnicode
0x4122a4 GetKeyNameTextW
0x4122a8 PostQuitMessage
0x4122ac GetWindowTextW
0x4122b0 TranslateMessage
0x4122b4 wsprintfA
0x4122b8 wsprintfW
ADVAPI32.dll
0x412000 FreeSid
0x412004 LookupAccountSidW
0x412008 GetTokenInformation
0x41200c CloseServiceHandle
0x412010 OpenSCManagerW
0x412014 RegCreateKeyExA
0x412018 RegSetValueExW
0x41201c StartServiceW
0x412020 EnumServicesStatusExW
0x412024 RegSetValueExA
0x412028 RegCreateKeyExW
0x41202c RegDeleteKeyW
0x412030 LookupPrivilegeValueW
0x412034 AdjustTokenPrivileges
0x412038 AllocateAndInitializeSid
0x41203c OpenProcessToken
0x412040 RegQueryValueExW
0x412044 RegOpenKeyExW
0x412048 RegOpenKeyExA
0x41204c RegEnumKeyExW
0x412050 RegQueryValueExA
0x412054 RegQueryInfoKeyW
0x412058 RegCloseKey
0x41205c OpenServiceW
0x412060 ChangeServiceConfigW
0x412064 QueryServiceConfigW
0x412068 RegDeleteValueW
SHELL32.dll
0x412228 SHGetSpecialFolderPathW
0x41222c SHCreateDirectoryExW
0x412230 SHGetFolderPathW
0x412234 ShellExecuteW
0x412238 None
0x41223c ShellExecuteExA
urlmon.dll
0x412334 URLDownloadToFileW
WS2_32.dll
0x4122dc freeaddrinfo
0x4122e0 htons
0x4122e4 recv
0x4122e8 connect
0x4122ec socket
0x4122f0 send
0x4122f4 WSAStartup
0x4122f8 getaddrinfo
0x4122fc shutdown
0x412300 closesocket
0x412304 WSACleanup
0x412308 ioctlsocket
0x41230c ntohs
0x412310 gethostbyname
0x412314 inet_addr
0x412318 setsockopt
ole32.dll
0x412320 CoCreateInstance
0x412324 CoUninitialize
0x412328 CoInitialize
0x41232c CoTaskMemFree
SHLWAPI.dll
0x412244 StrStrW
0x412248 PathRemoveFileSpecA
0x41224c StrStrA
0x412250 PathCombineA
0x412254 PathFindFileNameW
0x412258 PathFindExtensionW
0x41225c PathFileExistsW
NETAPI32.dll
0x41220c NetLocalGroupAddMembers
0x412210 NetUserAdd
OLEAUT32.dll
0x412218 VariantInit
CRYPT32.dll
0x412070 CryptStringToBinaryA
0x412074 CryptUnprotectData
PSAPI.DLL
0x412220 GetModuleFileNameExW
WININET.dll
0x4122c0 InternetQueryDataAvailable
0x4122c4 InternetOpenUrlW
0x4122c8 InternetOpenW
0x4122cc InternetCloseHandle
0x4122d0 InternetReadFile
0x4122d4 InternetCheckConnectionW
EAT(Export Address Table) is none