warzonerat | f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4

General

Target

SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe
Size

652KB
MD5

85063571eccad2a81103ea6603ba1e08
SHA1

c762c1e085a489b21c125e75e21683cd86e138c9
SHA256

f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4
SHA512

8a271d14190d2bf5cb9d4a62830b750b64954a9ed5d5ac803dca2ce9e9b38b6a69fd61518e0271dfbddeb20de383d686f6b0d9cfdf26be7ed394b244e41ca12f

Score

10^/10

warzonerat xpertrat special x evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

warzonerat

C2

195.140.214.82:6703

Extracted

Family

xpertrat

Version

3.0.10

Botnet

special X

C2

zytriew.duckdns.org:4145

papertyy.duckdns.org:4145

ghytrty.duckdns.org:4145

Mutex

A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/280-15-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat
behavioral1/memory/280-16-0x0000000000401364-mapping.dmp	xpertrat
behavioral1/memory/280-17-0x0000000000400000-0x0000000000443000-memory.dmp	xpertrat

Warzone RAT Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/932-2-0x0000000002AA0000-0x0000000002BF4000-memory.dmp	warzonerat

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1 = "C:\\Users\\Admin\\AppData\\Roaming\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1.exe"	iexplore.exe

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

fmGfizuAc.exe

pid process

2024 fmGfizuAc.exe
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
2024	fmGfizuAc.exe

Loads dropped DLL 11 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exefmGfizuAc.exe

pid	process
932	SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe
2024	fmGfizuAc.exe
2024	fmGfizuAc.exe
2024	fmGfizuAc.exe
672
932	SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe
932	SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe
932	SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe
932	SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe
932	SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe
932	SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

fmGfizuAc.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" fmGfizuAc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	fmGfizuAc.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1 = "C:\\Users\\Admin\\AppData\\Roaming\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1 = "C:\\Users\\Admin\\AppData\\Roaming\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1\\A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

fmGfizuAc.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fmGfizuAc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fmGfizuAc.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Jjbyi.m = "0"	SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe

Drops file in System32 directory 1 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe

description ioc process

File created C:\Windows\System32\rfxvmt.dll SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe

description	ioc	process
File created	C:\Windows\System32\rfxvmt.dll	SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

fmGfizuAc.exe

description	pid	process	target process
PID 2024 set thread context of 1116	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 set thread context of 280	2024	fmGfizuAc.exe	iexplore.exe

Drops file in Program Files directory 2 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe

description	ioc	process
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

fmGfizuAc.exe

pid process

2024 fmGfizuAc.exe
2024 fmGfizuAc.exe
2024 fmGfizuAc.exe
2024 fmGfizuAc.exe
2024 fmGfizuAc.exe
2024 fmGfizuAc.exe
Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

672
672
672
672
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

iexplore.exeSecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe

description pid process

Token: SeDebugPrivilege 280 iexplore.exe
Token: SeDebugPrivilege 932 SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

fmGfizuAc.exeiexplore.exe

pid process

2024 fmGfizuAc.exe
280 iexplore.exe

pid	process
2024	fmGfizuAc.exe
2024	fmGfizuAc.exe
2024	fmGfizuAc.exe
2024	fmGfizuAc.exe
2024	fmGfizuAc.exe
2024	fmGfizuAc.exe

pid	process
672
672
672
672

description	pid	process
Token: SeDebugPrivilege	280	iexplore.exe
Token: SeDebugPrivilege	932	SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe

pid	process
2024	fmGfizuAc.exe
280	iexplore.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exefmGfizuAc.exe

description	pid	process	target process
PID 932 wrote to memory of 2024	932	SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe	fmGfizuAc.exe
PID 932 wrote to memory of 2024	932	SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe	fmGfizuAc.exe
PID 932 wrote to memory of 2024	932	SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe	fmGfizuAc.exe
PID 932 wrote to memory of 2024	932	SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe	fmGfizuAc.exe
PID 932 wrote to memory of 2024	932	SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe	fmGfizuAc.exe
PID 932 wrote to memory of 2024	932	SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe	fmGfizuAc.exe
PID 932 wrote to memory of 2024	932	SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe	fmGfizuAc.exe
PID 2024 wrote to memory of 1116	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 wrote to memory of 1116	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 wrote to memory of 1116	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 wrote to memory of 1116	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 wrote to memory of 1116	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 wrote to memory of 1116	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 wrote to memory of 1116	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 wrote to memory of 1116	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 wrote to memory of 1116	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 wrote to memory of 1116	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 wrote to memory of 1116	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 wrote to memory of 1116	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 wrote to memory of 280	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 wrote to memory of 280	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 wrote to memory of 280	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 wrote to memory of 280	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 wrote to memory of 280	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 wrote to memory of 280	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 wrote to memory of 280	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 wrote to memory of 280	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 wrote to memory of 280	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 wrote to memory of 280	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 wrote to memory of 280	2024	fmGfizuAc.exe	iexplore.exe
PID 2024 wrote to memory of 280	2024	fmGfizuAc.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

fmGfizuAc.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fmGfizuAc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fmGfizuAc.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Maria.4.28965.20352.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\AppData\Roaming\fmGfizuAc.exe
"C:\Users\Admin\AppData\Roaming\fmGfizuAc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2024

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Roaming\fmGfizuAc.exe
3⤵
PID:1116

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Roaming\fmGfizuAc.exe
3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Winlogon Helper DLL

1

T1004

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Modify Registry

8

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\fmGfizuAc.exe
MD5
2e6f05e8245b62297355f070a6f966df

SHA1
7461222b5d34eb2328c7d50a75956f9dc78c32a3

SHA256
f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178

SHA512
44302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899

Download Submit
C:\Users\Admin\AppData\Roaming\fmGfizuAc.exe
MD5
2e6f05e8245b62297355f070a6f966df

SHA1
7461222b5d34eb2328c7d50a75956f9dc78c32a3

SHA256
f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178

SHA512
44302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899

Download Submit
\Program Files\Microsoft DN1\sqlmap.dll
MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\Users\Admin\AppData\Roaming\fmGfizuAc.exe
MD5
2e6f05e8245b62297355f070a6f966df

SHA1
7461222b5d34eb2328c7d50a75956f9dc78c32a3

SHA256
f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178

SHA512
44302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899

Download Submit
\Users\Admin\AppData\Roaming\fmGfizuAc.exe
MD5
2e6f05e8245b62297355f070a6f966df

SHA1
7461222b5d34eb2328c7d50a75956f9dc78c32a3

SHA256
f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178

SHA512
44302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899

Download Submit
\Users\Admin\AppData\Roaming\fmGfizuAc.exe
MD5
2e6f05e8245b62297355f070a6f966df

SHA1
7461222b5d34eb2328c7d50a75956f9dc78c32a3

SHA256
f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178

SHA512
44302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899

Download Submit
\Users\Admin\AppData\Roaming\fmGfizuAc.exe
MD5
2e6f05e8245b62297355f070a6f966df

SHA1
7461222b5d34eb2328c7d50a75956f9dc78c32a3

SHA256
f5c1bcee04671046761d44546a3e4a413049a42cd9067caa25e7640ab5867178

SHA512
44302f90666acbaaedc8c4a8481cc2fdc82da786514683d5c5664f5b6eda7ee4e415e2c4155b1e92f7d93d82ddd60d6f652e35332b5ce50eba84897c5202a899

Download Submit
memory/280-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/280-16-0x0000000000401364-mapping.dmp

Download
memory/280-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/432-3-0x000007FEF7800000-0x000007FEF7A7A000-memory.dmp

Filesize
2.5MB

Download
memory/672-22-0x000007FEF7800000-0x000007FEF7A7A000-memory.dmp

Filesize
2.5MB

Download
memory/932-2-0x0000000002AA0000-0x0000000002BF4000-memory.dmp

Filesize
1.3MB

Download
memory/1116-14-0x0000000000401364-mapping.dmp

Download
memory/2024-5-0x0000000000000000-mapping.dmp

Download
memory/2024-21-0x00000000028B0000-0x00000000028B4000-memory.dmp

Filesize
16KB

Download
memory/2024-20-0x0000000000380000-0x0000000000384000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads