warzonerat | 10de29d6ca34f4ba474a432588dcab2d09356fb4b3a323075c04c81c45200095

General

Target

gf.exe
Size

847KB
MD5

c1ad9cbcb7bad8a5ae3f13752bab68a1
SHA1

114ebd72632913e4641b03d9e7eed01f1c0362e8
SHA256

10de29d6ca34f4ba474a432588dcab2d09356fb4b3a323075c04c81c45200095
SHA512

f284b853f83ec1e44983f889ae6e15f1b086d4d009115865c05e72a1543b1140ac0dc3d6a5a2b4384c9e98bad74e61dcf836378a7200747d97c6ff5231a519ab

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

23.105.131.198:5300

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2244-26-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/2244-25-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/2244-24-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

2804 images.exe

pid	process
2804	images.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSBuild.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3748 set thread context of 2244 3748 powershell.exe MSBuild.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

3748 powershell.exe
3748 powershell.exe
3748 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3748 powershell.exe

description	pid	process	target process
PID 3748 set thread context of 2244	3748	powershell.exe	MSBuild.exe

pid	process
3748	powershell.exe
3748	powershell.exe
3748	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3748	powershell.exe

Suspicious use of FindShellTrayWindow 19 IoCs

Processes:

gf.exe

pid	process
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe

Suspicious use of SendNotifyMessage 19 IoCs

Processes:

gf.exe

pid	process
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe
3920	gf.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

gf.exepowershell.execsc.exeMSBuild.exe

description	pid	process	target process
PID 3920 wrote to memory of 3748	3920	gf.exe	powershell.exe
PID 3920 wrote to memory of 3748	3920	gf.exe	powershell.exe
PID 3920 wrote to memory of 3748	3920	gf.exe	powershell.exe
PID 3748 wrote to memory of 1052	3748	powershell.exe	csc.exe
PID 3748 wrote to memory of 1052	3748	powershell.exe	csc.exe
PID 3748 wrote to memory of 1052	3748	powershell.exe	csc.exe
PID 1052 wrote to memory of 3908	1052	csc.exe	cvtres.exe
PID 1052 wrote to memory of 3908	1052	csc.exe	cvtres.exe
PID 1052 wrote to memory of 3908	1052	csc.exe	cvtres.exe
PID 3748 wrote to memory of 2244	3748	powershell.exe	MSBuild.exe
PID 3748 wrote to memory of 2244	3748	powershell.exe	MSBuild.exe
PID 3748 wrote to memory of 2244	3748	powershell.exe	MSBuild.exe
PID 3748 wrote to memory of 2244	3748	powershell.exe	MSBuild.exe
PID 3748 wrote to memory of 2244	3748	powershell.exe	MSBuild.exe
PID 3748 wrote to memory of 2244	3748	powershell.exe	MSBuild.exe
PID 3748 wrote to memory of 2244	3748	powershell.exe	MSBuild.exe
PID 3748 wrote to memory of 2244	3748	powershell.exe	MSBuild.exe
PID 3748 wrote to memory of 2244	3748	powershell.exe	MSBuild.exe
PID 3748 wrote to memory of 2244	3748	powershell.exe	MSBuild.exe
PID 3748 wrote to memory of 2244	3748	powershell.exe	MSBuild.exe
PID 2244 wrote to memory of 2804	2244	MSBuild.exe	images.exe
PID 2244 wrote to memory of 2804	2244	MSBuild.exe	images.exe
PID 2244 wrote to memory of 2804	2244	MSBuild.exe	images.exe

C:\Users\Admin\AppData\Local\Temp\gf.exe
"C:\Users\Admin\AppData\Local\Temp\gf.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -executionpolicy bypass C:\Users\Admin\AppData\Local\Temp\CCMAMjNmw.ps1
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s0umyxas\s0umyxas.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D58.tmp" "c:\Users\Admin\AppData\Local\Temp\s0umyxas\CSC1489EBF949BB4F8DA9BFC555E3AF3E5A.TMP"
4⤵
PID:3908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2244

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
4⤵
- Executes dropped EXE
PID:2804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\ProgramData\images.exe
MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCMAMjNmw.ps1
MD5
83f3d6f8e49da8fc978a4715c65372bc

SHA1
bc7622d135688252f922a3cb4aa706a43c13f83d

SHA256
c21bcd976308ad8aa803545c69640829f7325c796fba75ef3d635bd7ffdec89b

SHA512
7622cf82efec91a1de6446c2cf423559f3ffc6e5a5b91e5eebce57502d3d3080496b4859907d8d00247fd23097160471c91a3e15c34d16185a6229ede5124730

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5D58.tmp
MD5
b1643c64d2ba1c1459d3742eb0cb8b10

SHA1
89fbf015d1a52dd157c842a79703cb5cceb4f5d7

SHA256
d42bd92c64b22096cefe185433241fb3199b8dfb3081e0b32fed0d653f6aac87

SHA512
80e278283cde6619cb34338712a2c6298c9924efbc5cefda1f3a7b72729a8e538b8efa6a23a6c8ba6f9acc1d55b95269bf7ea13fae6994091413383eb1d14994

Download Submit
C:\Users\Admin\AppData\Local\Temp\s0umyxas\s0umyxas.dll
MD5
461ab221e8a6597cbf70679586f859d1

SHA1
8d6983c9cfe5f1b363faefeccca43274694e9553

SHA256
b05f2d04261fbfed3dd8099d660d6937c02e30cecb068cda2ad9c5d376fc1800

SHA512
9ea3d160383e67e9556f4904fb5a450aebc0bf98c3f2a6723b78622890c548793b21c6322d7f878829d1326160ea4d55ed5ab4463eaf9a42632906fe466b53c2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s0umyxas\CSC1489EBF949BB4F8DA9BFC555E3AF3E5A.TMP
MD5
9cf8d7bf954c16860180abb0d67d2624

SHA1
3bed152d015d640dfdbfbc3c843ac3da42c315dc

SHA256
22a27169ecec3c2a5f75f13d26ea064f6648d369aba722419ece692c7d4ed3e9

SHA512
d7c6af1ba95fd293d750dd8b702c236eb7b52bca80c69a289675d142af7ae17b7d1d676fed51a019d4fe8c0319b55bb9cd723d92896c917c2cdb0f1aa070d88c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s0umyxas\s0umyxas.0.cs
MD5
e8c41bf3708cc4bd505851f38966151a

SHA1
ab943b19fb2e837904c97a3c52309c1f2c20dc9c

SHA256
54dc97b3a24a8137d2b4dcb052b104ffde93bd4a89297ee2fb522fa346bb01e9

SHA512
40a0f9f82cfed1e51feeeda8f790b1bffb5dc7f878fd86fc8bb3fca9d5133383e3d801bdddc97907361712b9bef75062860ab2b9add12188737d8f0418cd4cc4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s0umyxas\s0umyxas.cmdline
MD5
d6320fe61414dbbde98500eff683e2a6

SHA1
b4ab7a126f4323c3261eaeff2ae471716bd5840b

SHA256
42d19bc385e5484a2a5888ce801a9d0e4611aff0b902f5465fc83da01178ec5f

SHA512
a882d7f5de926693c9139ca94aeeb762ef5aa61a4f1cd7090e5ca641cf067452ca39ab1763ff6af6c6759c1bf6ca352b48d8c75e3846abc5b88ca7b14f0804dc

Download Submit
memory/1052-16-0x0000000000000000-mapping.dmp

Download
memory/2244-24-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2244-26-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2244-25-0x0000000000405CE2-mapping.dmp

Download
memory/2804-32-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download
memory/2804-33-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/2804-31-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/2804-30-0x0000000073340000-0x0000000073A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-27-0x0000000000000000-mapping.dmp

Download
memory/3748-6-0x0000000006E20000-0x0000000006E21000-memory.dmp

Filesize
4KB

Download
memory/3748-2-0x0000000000000000-mapping.dmp

Download
memory/3748-8-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

Filesize
4KB

Download
memory/3748-12-0x0000000007FC0000-0x0000000007FC1000-memory.dmp

Filesize
4KB

Download
memory/3748-5-0x00000000070E0000-0x00000000070E1000-memory.dmp

Filesize
4KB

Download
memory/3748-11-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

Filesize
4KB

Download
memory/3748-7-0x0000000007710000-0x0000000007711000-memory.dmp

Filesize
4KB

Download
memory/3748-23-0x00000000069F0000-0x00000000069F1000-memory.dmp

Filesize
4KB

Download
memory/3748-4-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/3748-9-0x0000000007780000-0x0000000007781000-memory.dmp

Filesize
4KB

Download
memory/3748-3-0x0000000072460000-0x0000000072B4E000-memory.dmp

Filesize
6.9MB

Download
memory/3748-10-0x00000000070C0000-0x00000000070C1000-memory.dmp

Filesize
4KB

Download
memory/3748-14-0x000000000D510000-0x000000000D511000-memory.dmp

Filesize
4KB

Download
memory/3748-15-0x000000000CC40000-0x000000000CC41000-memory.dmp

Filesize
4KB

Download
memory/3908-19-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads