ScreenShot
| Created | 2023.11.02 10:12 | Machine | s1_win7_x6403_us |
| Filename | Klv-sailor-warzone123456.txt.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 63 detected (AIDetectMalware, Windows, AveMaria, SLlg, Agentb, FDNF, Save, malicious, Dnldr27, DQML, Avecma, Warzone, score, jiad, AntiAV, fljpfv, CLASSIC, Redcap, ghjpt, Maria, MOCRT, Static AI, Malicious PE, Detected, ai score=88, VA@81mmki, Remcos, INDT, R263895, WarzoneRat, unsafe, Genetic, Gencirc, GenAsa, ++8lN4UW0KE, susgen, confidence, 100%) | ||
| md5 | 57c76226a25c44ea73d0ffd2b8258a56 | ||
| sha256 | 24c31e8d645268f9b40c348887aebe9eacf476b25c52e904ca90967a97ca0165 | ||
| ssdeep | 1536:23P7aiRdDxXp2yc9q6qT+Ry0844UudNH6GLHWVE0UXD:29dZv9W844bdNvLHWVE06D | ||
| imphash | 4747c70adc127d28c18f0f7237b1add9 | ||
| impfuzzy | 96:+8R4pJnscp+lSBGNePCDR2HtyBm7KncGKguEjkn9/I9Up8:MJnF2ePCDR2HdnRJNtp8 | ||
Network IP location
Signature (13cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 63 AntiVirus engines on VirusTotal as malicious |
| watch | Allocates execute permission to another process indicative of possible code injection |
| watch | Installs itself for autorun at Windows startup |
| watch | Potential code injection by writing to the memory of another process |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Connects to a Dynamic DNS Domain |
| notice | Creates a suspicious process |
| notice | Foreign language identified in PE resource |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Ave_Maria_Zero | Remote Access Trojan that is also called WARZONE RAT | binaries (upload) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | Network_Downloader | File Downloader | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x412088 GetStartupInfoA
0x41208c HeapFree
0x412090 VirtualFree
0x412094 VirtualAlloc
0x412098 HeapReAlloc
0x41209c VirtualQuery
0x4120a0 TerminateThread
0x4120a4 CreateThread
0x4120a8 WriteFile
0x4120ac CreateFileW
0x4120b0 LoadLibraryW
0x4120b4 GetLocalTime
0x4120b8 GetCurrentThreadId
0x4120bc GetCurrentProcessId
0x4120c0 ReadFile
0x4120c4 FindFirstFileA
0x4120c8 GetBinaryTypeW
0x4120cc FindNextFileA
0x4120d0 GetFullPathNameA
0x4120d4 GetTempPathW
0x4120d8 GetPrivateProfileStringW
0x4120dc CreateFileA
0x4120e0 GlobalAlloc
0x4120e4 GetCurrentDirectoryW
0x4120e8 SetCurrentDirectoryW
0x4120ec LocalFree
0x4120f0 GetFileSize
0x4120f4 FreeLibrary
0x4120f8 WaitForSingleObject
0x4120fc GetCurrentProcess
0x412100 WaitForMultipleObjects
0x412104 CreatePipe
0x412108 PeekNamedPipe
0x41210c DuplicateHandle
0x412110 SetEvent
0x412114 CreateProcessW
0x412118 CreateEventA
0x41211c LoadLibraryA
0x412120 LoadResource
0x412124 FindResourceW
0x412128 GetComputerNameW
0x41212c LoadLibraryExW
0x412130 FindFirstFileW
0x412134 FindNextFileW
0x412138 GetCommandLineA
0x41213c GetLogicalDriveStringsW
0x412140 DeleteFileW
0x412144 CopyFileW
0x412148 GetDriveTypeW
0x41214c EnterCriticalSection
0x412150 LeaveCriticalSection
0x412154 InitializeCriticalSection
0x412158 DeleteCriticalSection
0x41215c CreateMutexA
0x412160 ReleaseMutex
0x412164 TerminateProcess
0x412168 OpenProcess
0x41216c CreateToolhelp32Snapshot
0x412170 Process32NextW
0x412174 Process32FirstW
0x412178 VirtualProtectEx
0x41217c GetProcessHeap
0x412180 SizeofResource
0x412184 VirtualProtect
0x412188 Wow64DisableWow64FsRedirection
0x41218c GetSystemDirectoryW
0x412190 Wow64RevertWow64FsRedirection
0x412194 LockResource
0x412198 GetWindowsDirectoryW
0x41219c IsWow64Process
0x4121a0 Process32First
0x4121a4 WriteProcessMemory
0x4121a8 Process32Next
0x4121ac GetWindowsDirectoryA
0x4121b0 VirtualAllocEx
0x4121b4 CreateRemoteThread
0x4121b8 WinExec
0x4121bc GetTempPathA
0x4121c0 HeapAlloc
0x4121c4 Sleep
0x4121c8 lstrcmpW
0x4121cc GetTickCount
0x4121d0 lstrcpyW
0x4121d4 WideCharToMultiByte
0x4121d8 GetModuleHandleA
0x4121dc ExitProcess
0x4121e0 SetFilePointer
0x4121e4 lstrcpyA
0x4121e8 MultiByteToWideChar
0x4121ec lstrcatA
0x4121f0 lstrcmpA
0x4121f4 lstrlenA
0x4121f8 ExpandEnvironmentStringsW
0x4121fc lstrlenW
0x412200 CloseHandle
0x412204 GetProcAddress
0x412208 lstrcatW
0x41220c GetLastError
0x412210 SetLastError
0x412214 GetModuleFileNameA
0x412218 CreateDirectoryW
0x41221c GetModuleFileNameW
0x412220 CreateProcessA
USER32.dll
0x412284 MessageBoxA
0x412288 GetKeyState
0x41228c GetMessageA
0x412290 DispatchMessageA
0x412294 CreateWindowExW
0x412298 CallNextHookEx
0x41229c GetAsyncKeyState
0x4122a0 SetWindowsHookExA
0x4122a4 RegisterClassW
0x4122a8 GetRawInputData
0x4122ac MapVirtualKeyA
0x4122b0 GetForegroundWindow
0x4122b4 DefWindowProcA
0x4122b8 RegisterRawInputDevices
0x4122bc GetLastInputInfo
0x4122c0 ToUnicode
0x4122c4 GetKeyNameTextW
0x4122c8 PostQuitMessage
0x4122cc GetWindowTextW
0x4122d0 TranslateMessage
0x4122d4 wsprintfA
0x4122d8 wsprintfW
ADVAPI32.dll
0x412000 LookupPrivilegeValueW
0x412004 AdjustTokenPrivileges
0x412008 AllocateAndInitializeSid
0x41200c OpenProcessToken
0x412010 FreeSid
0x412014 LookupAccountSidW
0x412018 GetTokenInformation
0x41201c CloseServiceHandle
0x412020 OpenSCManagerW
0x412024 RegCreateKeyExW
0x412028 RegDeleteKeyW
0x41202c InitializeSecurityDescriptor
0x412030 RegDeleteKeyA
0x412034 SetSecurityDescriptorDacl
0x412038 RegDeleteValueW
0x41203c RegQueryValueExW
0x412040 RegOpenKeyExW
0x412044 RegOpenKeyExA
0x412048 RegEnumKeyExW
0x41204c RegQueryValueExA
0x412050 RegQueryInfoKeyW
0x412054 RegCloseKey
0x412058 OpenServiceW
0x41205c ChangeServiceConfigW
0x412060 QueryServiceConfigW
0x412064 EnumServicesStatusExW
0x412068 StartServiceW
0x41206c RegSetValueExW
0x412070 RegCreateKeyExA
0x412074 RegSetValueExA
SHELL32.dll
0x412244 ShellExecuteExW
0x412248 SHGetSpecialFolderPathW
0x41224c SHCreateDirectoryExW
0x412250 SHGetFolderPathW
0x412254 ShellExecuteW
0x412258 None
0x41225c ShellExecuteExA
urlmon.dll
0x412354 URLDownloadToFileW
WS2_32.dll
0x4122fc setsockopt
0x412300 freeaddrinfo
0x412304 htons
0x412308 recv
0x41230c connect
0x412310 socket
0x412314 send
0x412318 WSAStartup
0x41231c shutdown
0x412320 closesocket
0x412324 WSACleanup
0x412328 ioctlsocket
0x41232c ntohs
0x412330 gethostbyname
0x412334 inet_addr
0x412338 getaddrinfo
ole32.dll
0x412340 CoCreateInstance
0x412344 CoUninitialize
0x412348 CoInitialize
0x41234c CoTaskMemFree
SHLWAPI.dll
0x412264 StrStrW
0x412268 PathRemoveFileSpecA
0x41226c StrStrA
0x412270 PathCombineA
0x412274 PathFindFileNameW
0x412278 PathFindExtensionW
0x41227c PathFileExistsW
NETAPI32.dll
0x412228 NetLocalGroupAddMembers
0x41222c NetUserAdd
OLEAUT32.dll
0x412234 VariantInit
CRYPT32.dll
0x41207c CryptStringToBinaryA
0x412080 CryptUnprotectData
PSAPI.DLL
0x41223c GetModuleFileNameExW
WININET.dll
0x4122e0 InternetQueryDataAvailable
0x4122e4 InternetOpenUrlW
0x4122e8 InternetOpenW
0x4122ec InternetCloseHandle
0x4122f0 InternetReadFile
0x4122f4 InternetCheckConnectionW
EAT(Export Address Table) is none
KERNEL32.dll
0x412088 GetStartupInfoA
0x41208c HeapFree
0x412090 VirtualFree
0x412094 VirtualAlloc
0x412098 HeapReAlloc
0x41209c VirtualQuery
0x4120a0 TerminateThread
0x4120a4 CreateThread
0x4120a8 WriteFile
0x4120ac CreateFileW
0x4120b0 LoadLibraryW
0x4120b4 GetLocalTime
0x4120b8 GetCurrentThreadId
0x4120bc GetCurrentProcessId
0x4120c0 ReadFile
0x4120c4 FindFirstFileA
0x4120c8 GetBinaryTypeW
0x4120cc FindNextFileA
0x4120d0 GetFullPathNameA
0x4120d4 GetTempPathW
0x4120d8 GetPrivateProfileStringW
0x4120dc CreateFileA
0x4120e0 GlobalAlloc
0x4120e4 GetCurrentDirectoryW
0x4120e8 SetCurrentDirectoryW
0x4120ec LocalFree
0x4120f0 GetFileSize
0x4120f4 FreeLibrary
0x4120f8 WaitForSingleObject
0x4120fc GetCurrentProcess
0x412100 WaitForMultipleObjects
0x412104 CreatePipe
0x412108 PeekNamedPipe
0x41210c DuplicateHandle
0x412110 SetEvent
0x412114 CreateProcessW
0x412118 CreateEventA
0x41211c LoadLibraryA
0x412120 LoadResource
0x412124 FindResourceW
0x412128 GetComputerNameW
0x41212c LoadLibraryExW
0x412130 FindFirstFileW
0x412134 FindNextFileW
0x412138 GetCommandLineA
0x41213c GetLogicalDriveStringsW
0x412140 DeleteFileW
0x412144 CopyFileW
0x412148 GetDriveTypeW
0x41214c EnterCriticalSection
0x412150 LeaveCriticalSection
0x412154 InitializeCriticalSection
0x412158 DeleteCriticalSection
0x41215c CreateMutexA
0x412160 ReleaseMutex
0x412164 TerminateProcess
0x412168 OpenProcess
0x41216c CreateToolhelp32Snapshot
0x412170 Process32NextW
0x412174 Process32FirstW
0x412178 VirtualProtectEx
0x41217c GetProcessHeap
0x412180 SizeofResource
0x412184 VirtualProtect
0x412188 Wow64DisableWow64FsRedirection
0x41218c GetSystemDirectoryW
0x412190 Wow64RevertWow64FsRedirection
0x412194 LockResource
0x412198 GetWindowsDirectoryW
0x41219c IsWow64Process
0x4121a0 Process32First
0x4121a4 WriteProcessMemory
0x4121a8 Process32Next
0x4121ac GetWindowsDirectoryA
0x4121b0 VirtualAllocEx
0x4121b4 CreateRemoteThread
0x4121b8 WinExec
0x4121bc GetTempPathA
0x4121c0 HeapAlloc
0x4121c4 Sleep
0x4121c8 lstrcmpW
0x4121cc GetTickCount
0x4121d0 lstrcpyW
0x4121d4 WideCharToMultiByte
0x4121d8 GetModuleHandleA
0x4121dc ExitProcess
0x4121e0 SetFilePointer
0x4121e4 lstrcpyA
0x4121e8 MultiByteToWideChar
0x4121ec lstrcatA
0x4121f0 lstrcmpA
0x4121f4 lstrlenA
0x4121f8 ExpandEnvironmentStringsW
0x4121fc lstrlenW
0x412200 CloseHandle
0x412204 GetProcAddress
0x412208 lstrcatW
0x41220c GetLastError
0x412210 SetLastError
0x412214 GetModuleFileNameA
0x412218 CreateDirectoryW
0x41221c GetModuleFileNameW
0x412220 CreateProcessA
USER32.dll
0x412284 MessageBoxA
0x412288 GetKeyState
0x41228c GetMessageA
0x412290 DispatchMessageA
0x412294 CreateWindowExW
0x412298 CallNextHookEx
0x41229c GetAsyncKeyState
0x4122a0 SetWindowsHookExA
0x4122a4 RegisterClassW
0x4122a8 GetRawInputData
0x4122ac MapVirtualKeyA
0x4122b0 GetForegroundWindow
0x4122b4 DefWindowProcA
0x4122b8 RegisterRawInputDevices
0x4122bc GetLastInputInfo
0x4122c0 ToUnicode
0x4122c4 GetKeyNameTextW
0x4122c8 PostQuitMessage
0x4122cc GetWindowTextW
0x4122d0 TranslateMessage
0x4122d4 wsprintfA
0x4122d8 wsprintfW
ADVAPI32.dll
0x412000 LookupPrivilegeValueW
0x412004 AdjustTokenPrivileges
0x412008 AllocateAndInitializeSid
0x41200c OpenProcessToken
0x412010 FreeSid
0x412014 LookupAccountSidW
0x412018 GetTokenInformation
0x41201c CloseServiceHandle
0x412020 OpenSCManagerW
0x412024 RegCreateKeyExW
0x412028 RegDeleteKeyW
0x41202c InitializeSecurityDescriptor
0x412030 RegDeleteKeyA
0x412034 SetSecurityDescriptorDacl
0x412038 RegDeleteValueW
0x41203c RegQueryValueExW
0x412040 RegOpenKeyExW
0x412044 RegOpenKeyExA
0x412048 RegEnumKeyExW
0x41204c RegQueryValueExA
0x412050 RegQueryInfoKeyW
0x412054 RegCloseKey
0x412058 OpenServiceW
0x41205c ChangeServiceConfigW
0x412060 QueryServiceConfigW
0x412064 EnumServicesStatusExW
0x412068 StartServiceW
0x41206c RegSetValueExW
0x412070 RegCreateKeyExA
0x412074 RegSetValueExA
SHELL32.dll
0x412244 ShellExecuteExW
0x412248 SHGetSpecialFolderPathW
0x41224c SHCreateDirectoryExW
0x412250 SHGetFolderPathW
0x412254 ShellExecuteW
0x412258 None
0x41225c ShellExecuteExA
urlmon.dll
0x412354 URLDownloadToFileW
WS2_32.dll
0x4122fc setsockopt
0x412300 freeaddrinfo
0x412304 htons
0x412308 recv
0x41230c connect
0x412310 socket
0x412314 send
0x412318 WSAStartup
0x41231c shutdown
0x412320 closesocket
0x412324 WSACleanup
0x412328 ioctlsocket
0x41232c ntohs
0x412330 gethostbyname
0x412334 inet_addr
0x412338 getaddrinfo
ole32.dll
0x412340 CoCreateInstance
0x412344 CoUninitialize
0x412348 CoInitialize
0x41234c CoTaskMemFree
SHLWAPI.dll
0x412264 StrStrW
0x412268 PathRemoveFileSpecA
0x41226c StrStrA
0x412270 PathCombineA
0x412274 PathFindFileNameW
0x412278 PathFindExtensionW
0x41227c PathFileExistsW
NETAPI32.dll
0x412228 NetLocalGroupAddMembers
0x41222c NetUserAdd
OLEAUT32.dll
0x412234 VariantInit
CRYPT32.dll
0x41207c CryptStringToBinaryA
0x412080 CryptUnprotectData
PSAPI.DLL
0x41223c GetModuleFileNameExW
WININET.dll
0x4122e0 InternetQueryDataAvailable
0x4122e4 InternetOpenUrlW
0x4122e8 InternetOpenW
0x4122ec InternetCloseHandle
0x4122f0 InternetReadFile
0x4122f4 InternetCheckConnectionW
EAT(Export Address Table) is none