warzonerat | b6d76a6dd8898fcd223678eec6835de53da6b2af1fc84c90dc502082eb6d8729

General

Target

PO#11-17012021,pdf.exe
Size

317KB
MD5

883f037f8db0d45f1dab5dbd539326d2
SHA1

ab9b5572188b37c10eed0b76163667494fb4cc57
SHA256

b6d76a6dd8898fcd223678eec6835de53da6b2af1fc84c90dc502082eb6d8729
SHA512

5336c34028c972118fe8f20ae6beee20ec92c5413450abfdef0a3033edb026ed714ed8bc19772440bc4184ec4385165382d5c8a1551abccebf79a2230349749f

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

206.123.129.103:4565

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1896-8-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Suspicious use of SetThreadContext 1 IoCs

Processes:

PO#11-17012021,pdf.exe

description pid process target process

PID 2044 set thread context of 1896 2044 PO#11-17012021,pdf.exe PO#11-17012021,pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1796 schtasks.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

PO#11-17012021,pdf.exe

pid process

2044 PO#11-17012021,pdf.exe

description	pid	process	target process
PID 2044 set thread context of 1896	2044	PO#11-17012021,pdf.exe	PO#11-17012021,pdf.exe

pid	process
1796	schtasks.exe

pid	process
2044	PO#11-17012021,pdf.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

PO#11-17012021,pdf.execmd.exe

description	pid	process	target process
PID 2044 wrote to memory of 488	2044	PO#11-17012021,pdf.exe	cmd.exe
PID 2044 wrote to memory of 488	2044	PO#11-17012021,pdf.exe	cmd.exe
PID 2044 wrote to memory of 488	2044	PO#11-17012021,pdf.exe	cmd.exe
PID 2044 wrote to memory of 488	2044	PO#11-17012021,pdf.exe	cmd.exe
PID 2044 wrote to memory of 1896	2044	PO#11-17012021,pdf.exe	PO#11-17012021,pdf.exe
PID 2044 wrote to memory of 1896	2044	PO#11-17012021,pdf.exe	PO#11-17012021,pdf.exe
PID 2044 wrote to memory of 1896	2044	PO#11-17012021,pdf.exe	PO#11-17012021,pdf.exe
PID 2044 wrote to memory of 1896	2044	PO#11-17012021,pdf.exe	PO#11-17012021,pdf.exe
PID 2044 wrote to memory of 1896	2044	PO#11-17012021,pdf.exe	PO#11-17012021,pdf.exe
PID 488 wrote to memory of 1796	488	cmd.exe	schtasks.exe
PID 488 wrote to memory of 1796	488	cmd.exe	schtasks.exe
PID 488 wrote to memory of 1796	488	cmd.exe	schtasks.exe
PID 488 wrote to memory of 1796	488	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\PO#11-17012021,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PO#11-17012021,pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\c27cce5ac8d84c439ec7501fa8096513.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:488

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\c27cce5ac8d84c439ec7501fa8096513.xml"
3⤵
- Creates scheduled task(s)
PID:1796

C:\Users\Admin\AppData\Local\Temp\PO#11-17012021,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PO#11-17012021,pdf.exe"
2⤵
PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c27cce5ac8d84c439ec7501fa8096513.xml
MD5
a035055e1c80bc652520df45650c690f

SHA1
37b8364ad46e17199eb5a7ee89bb506bba384adb

SHA256
2b9948d34674d0fc0f9cb290da8298441b56205f6e341e3cfa1954df42c2b655

SHA512
678279d1bfc8a71c27a5a2c3afa5fd266882a62610863a3e4ebc2489f17827ed4c680c89e6b8b52621320500294d2df9888259ccdc5d38def43e739c1f325fc1

Download Submit
memory/488-3-0x0000000000000000-mapping.dmp

Download
memory/1796-6-0x0000000000000000-mapping.dmp

Download
memory/1896-4-0x0000000000405CE2-mapping.dmp

Download
memory/1896-8-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2044-2-0x0000000075251000-0x0000000075253000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads