warzonerat | 9fa98d845147978f040107c6d725a2b12ba15c204c54ed6d726c0780b40c68c3

General

Target

EFT_REMITTANCE_ADVICE.exe
Size

975KB
MD5

518c314827a6d5fca576e1a1dda788e9
SHA1

4eae33a11a49f4e67cc81195226cb24411a9285e
SHA256

9fa98d845147978f040107c6d725a2b12ba15c204c54ed6d726c0780b40c68c3
SHA512

8b443b00578e6ef1337f539be6be388a2b7dc325f1c8b1dfb6154770cda70bdb7d6ca70fbabfc647cb4fa0e7b0620f9e9bf0edbe04b972cbde1d6bfe1490ec90

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

vigo147.duckdns.org:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/792-14-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral2/memory/792-15-0x00000000004057A3-mapping.dmp	warzonerat
behavioral2/memory/792-27-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral2/memory/588-63-0x00000000004057A3-mapping.dmp	warzonerat
behavioral2/memory/588-66-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

images.exeimages.exe

pid process

2576 images.exe
588 images.exe

pid	process
2576	images.exe
588	images.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

EFT_REMITTANCE_ADVICE.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	EFT_REMITTANCE_ADVICE.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

EFT_REMITTANCE_ADVICE.exeimages.exe

description	pid	process	target process
PID 580 set thread context of 792	580	EFT_REMITTANCE_ADVICE.exe	EFT_REMITTANCE_ADVICE.exe
PID 2576 set thread context of 588	2576	images.exe	images.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1864 schtasks.exe
3768 schtasks.exe

pid	process
1864	schtasks.exe
3768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

EFT_REMITTANCE_ADVICE.exepowershell.exeimages.exepowershell.exe

pid	process
580	EFT_REMITTANCE_ADVICE.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
2576	images.exe
2280	powershell.exe
2280	powershell.exe
2280	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

EFT_REMITTANCE_ADVICE.exepowershell.exeimages.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	580	EFT_REMITTANCE_ADVICE.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	2576	images.exe
Token: SeDebugPrivilege	2280	powershell.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

EFT_REMITTANCE_ADVICE.exeEFT_REMITTANCE_ADVICE.exeimages.exeimages.exe

description	pid	process	target process
PID 580 wrote to memory of 1864	580	EFT_REMITTANCE_ADVICE.exe	schtasks.exe
PID 580 wrote to memory of 1864	580	EFT_REMITTANCE_ADVICE.exe	schtasks.exe
PID 580 wrote to memory of 1864	580	EFT_REMITTANCE_ADVICE.exe	schtasks.exe
PID 580 wrote to memory of 792	580	EFT_REMITTANCE_ADVICE.exe	EFT_REMITTANCE_ADVICE.exe
PID 580 wrote to memory of 792	580	EFT_REMITTANCE_ADVICE.exe	EFT_REMITTANCE_ADVICE.exe
PID 580 wrote to memory of 792	580	EFT_REMITTANCE_ADVICE.exe	EFT_REMITTANCE_ADVICE.exe
PID 580 wrote to memory of 792	580	EFT_REMITTANCE_ADVICE.exe	EFT_REMITTANCE_ADVICE.exe
PID 580 wrote to memory of 792	580	EFT_REMITTANCE_ADVICE.exe	EFT_REMITTANCE_ADVICE.exe
PID 580 wrote to memory of 792	580	EFT_REMITTANCE_ADVICE.exe	EFT_REMITTANCE_ADVICE.exe
PID 580 wrote to memory of 792	580	EFT_REMITTANCE_ADVICE.exe	EFT_REMITTANCE_ADVICE.exe
PID 580 wrote to memory of 792	580	EFT_REMITTANCE_ADVICE.exe	EFT_REMITTANCE_ADVICE.exe
PID 580 wrote to memory of 792	580	EFT_REMITTANCE_ADVICE.exe	EFT_REMITTANCE_ADVICE.exe
PID 580 wrote to memory of 792	580	EFT_REMITTANCE_ADVICE.exe	EFT_REMITTANCE_ADVICE.exe
PID 580 wrote to memory of 792	580	EFT_REMITTANCE_ADVICE.exe	EFT_REMITTANCE_ADVICE.exe
PID 792 wrote to memory of 1152	792	EFT_REMITTANCE_ADVICE.exe	powershell.exe
PID 792 wrote to memory of 1152	792	EFT_REMITTANCE_ADVICE.exe	powershell.exe
PID 792 wrote to memory of 1152	792	EFT_REMITTANCE_ADVICE.exe	powershell.exe
PID 792 wrote to memory of 2576	792	EFT_REMITTANCE_ADVICE.exe	images.exe
PID 792 wrote to memory of 2576	792	EFT_REMITTANCE_ADVICE.exe	images.exe
PID 792 wrote to memory of 2576	792	EFT_REMITTANCE_ADVICE.exe	images.exe
PID 2576 wrote to memory of 3768	2576	images.exe	schtasks.exe
PID 2576 wrote to memory of 3768	2576	images.exe	schtasks.exe
PID 2576 wrote to memory of 3768	2576	images.exe	schtasks.exe
PID 2576 wrote to memory of 588	2576	images.exe	images.exe
PID 2576 wrote to memory of 588	2576	images.exe	images.exe
PID 2576 wrote to memory of 588	2576	images.exe	images.exe
PID 2576 wrote to memory of 588	2576	images.exe	images.exe
PID 2576 wrote to memory of 588	2576	images.exe	images.exe
PID 2576 wrote to memory of 588	2576	images.exe	images.exe
PID 2576 wrote to memory of 588	2576	images.exe	images.exe
PID 2576 wrote to memory of 588	2576	images.exe	images.exe
PID 2576 wrote to memory of 588	2576	images.exe	images.exe
PID 2576 wrote to memory of 588	2576	images.exe	images.exe
PID 2576 wrote to memory of 588	2576	images.exe	images.exe
PID 588 wrote to memory of 2280	588	images.exe	powershell.exe
PID 588 wrote to memory of 2280	588	images.exe	powershell.exe
PID 588 wrote to memory of 2280	588	images.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\EFT_REMITTANCE_ADVICE.exe
"C:\Users\Admin\AppData\Local\Temp\EFT_REMITTANCE_ADVICE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uNiDrem" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC7F.tmp"
2⤵
- Creates scheduled task(s)
PID:1864

C:\Users\Admin\AppData\Local\Temp\EFT_REMITTANCE_ADVICE.exe
"{path}"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uNiDrem" /XML "C:\Users\Admin\AppData\Local\Temp\tmp449B.tmp"
4⤵
- Creates scheduled task(s)
PID:3768

C:\ProgramData\images.exe
"{path}"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
MD5
518c314827a6d5fca576e1a1dda788e9

SHA1
4eae33a11a49f4e67cc81195226cb24411a9285e

SHA256
9fa98d845147978f040107c6d725a2b12ba15c204c54ed6d726c0780b40c68c3

SHA512
8b443b00578e6ef1337f539be6be388a2b7dc325f1c8b1dfb6154770cda70bdb7d6ca70fbabfc647cb4fa0e7b0620f9e9bf0edbe04b972cbde1d6bfe1490ec90

Download Submit
C:\ProgramData\images.exe
MD5
518c314827a6d5fca576e1a1dda788e9

SHA1
4eae33a11a49f4e67cc81195226cb24411a9285e

SHA256
9fa98d845147978f040107c6d725a2b12ba15c204c54ed6d726c0780b40c68c3

SHA512
8b443b00578e6ef1337f539be6be388a2b7dc325f1c8b1dfb6154770cda70bdb7d6ca70fbabfc647cb4fa0e7b0620f9e9bf0edbe04b972cbde1d6bfe1490ec90

Download Submit
C:\ProgramData\images.exe
MD5
518c314827a6d5fca576e1a1dda788e9

SHA1
4eae33a11a49f4e67cc81195226cb24411a9285e

SHA256
9fa98d845147978f040107c6d725a2b12ba15c204c54ed6d726c0780b40c68c3

SHA512
8b443b00578e6ef1337f539be6be388a2b7dc325f1c8b1dfb6154770cda70bdb7d6ca70fbabfc647cb4fa0e7b0620f9e9bf0edbe04b972cbde1d6bfe1490ec90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
631eb29e6751082c3f0a965a358a0294

SHA1
768ce7229c6f204d90f3137a5ae6957089265d81

SHA256
546706fcb223786ade3d947a596ccbeaf58044682f61d3d432d0da7c6ffe80b3

SHA512
babd1b8a5cabbf7a4f89360809965d89cda82c997b6fac073a8d32ee20476045ae3d7aab8adbe13e331215d49a1827b3fa6b5f56bb463a5b42eab0ecdd4bf369

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp449B.tmp
MD5
ad43e4435fe7a688b53e8e257461fa11

SHA1
cf98f3b39dbbe69e6c85702fe608f3ae6ab9e1a1

SHA256
18dc38d746ab47b4ce79e9c5722661889b2b8af9d191f9f08ebe5ff47c9c2d87

SHA512
a437da6c144ccd7de4923b00b676d032223074cdefe5f7bdcfe32621173e9b6be240a0762a63156f2228d3355a21cce99df03b707a1fd3691bc6a209ad3e3ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC7F.tmp
MD5
ad43e4435fe7a688b53e8e257461fa11

SHA1
cf98f3b39dbbe69e6c85702fe608f3ae6ab9e1a1

SHA256
18dc38d746ab47b4ce79e9c5722661889b2b8af9d191f9f08ebe5ff47c9c2d87

SHA512
a437da6c144ccd7de4923b00b676d032223074cdefe5f7bdcfe32621173e9b6be240a0762a63156f2228d3355a21cce99df03b707a1fd3691bc6a209ad3e3ff5

Download Submit
memory/580-2-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/580-6-0x0000000007440000-0x0000000007441000-memory.dmp

Filesize
4KB

Download
memory/580-9-0x0000000007670000-0x000000000767E000-memory.dmp

Filesize
56KB

Download
memory/580-8-0x0000000007410000-0x0000000007411000-memory.dmp

Filesize
4KB

Download
memory/580-3-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/580-7-0x00000000075A0000-0x00000000075A1000-memory.dmp

Filesize
4KB

Download
memory/580-11-0x0000000009A00000-0x0000000009A01000-memory.dmp

Filesize
4KB

Download
memory/580-10-0x0000000002830000-0x000000000289E000-memory.dmp

Filesize
440KB

Download
memory/580-5-0x0000000007860000-0x0000000007861000-memory.dmp

Filesize
4KB

Download
memory/588-66-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/588-63-0x00000000004057A3-mapping.dmp

Download
memory/792-15-0x00000000004057A3-mapping.dmp

Download
memory/792-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/792-27-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1152-16-0x0000000000000000-mapping.dmp

Download
memory/1152-54-0x0000000008DE0000-0x0000000008DE1000-memory.dmp

Filesize
4KB

Download
memory/1152-21-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/1152-31-0x0000000000CD2000-0x0000000000CD3000-memory.dmp

Filesize
4KB

Download
memory/1152-33-0x00000000069F0000-0x00000000069F1000-memory.dmp

Filesize
4KB

Download
memory/1152-34-0x0000000006B90000-0x0000000006B91000-memory.dmp

Filesize
4KB

Download
memory/1152-35-0x0000000006DF0000-0x0000000006DF1000-memory.dmp

Filesize
4KB

Download
memory/1152-36-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/1152-38-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/1152-39-0x0000000007B70000-0x0000000007B71000-memory.dmp

Filesize
4KB

Download
memory/1152-40-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/1152-42-0x0000000008920000-0x0000000008953000-memory.dmp

Filesize
204KB

Download
memory/1152-49-0x0000000008900000-0x0000000008901000-memory.dmp

Filesize
4KB

Download
memory/1152-50-0x0000000008CB0000-0x0000000008CB1000-memory.dmp

Filesize
4KB

Download
memory/1152-51-0x0000000008E30000-0x0000000008E31000-memory.dmp

Filesize
4KB

Download
memory/1152-52-0x000000007E6A0000-0x000000007E6A1000-memory.dmp

Filesize
4KB

Download
memory/1152-53-0x0000000000CD3000-0x0000000000CD4000-memory.dmp

Filesize
4KB

Download
memory/1152-25-0x0000000006E80000-0x0000000006E81000-memory.dmp

Filesize
4KB

Download
memory/1152-56-0x0000000008DD0000-0x0000000008DD1000-memory.dmp

Filesize
4KB

Download
memory/1152-24-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/1152-29-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/1864-12-0x0000000000000000-mapping.dmp

Download
memory/2280-78-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

Filesize
4KB

Download
memory/2280-65-0x0000000000000000-mapping.dmp

Download
memory/2280-68-0x0000000073E20000-0x000000007450E000-memory.dmp

Filesize
6.9MB

Download
memory/2280-74-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

Filesize
4KB

Download
memory/2280-77-0x0000000008220000-0x0000000008221000-memory.dmp

Filesize
4KB

Download
memory/2280-79-0x0000000006DA2000-0x0000000006DA3000-memory.dmp

Filesize
4KB

Download
memory/2280-90-0x00000000095A0000-0x00000000095A1000-memory.dmp

Filesize
4KB

Download
memory/2280-92-0x000000007F030000-0x000000007F031000-memory.dmp

Filesize
4KB

Download
memory/2280-93-0x0000000006DA3000-0x0000000006DA4000-memory.dmp

Filesize
4KB

Download
memory/2576-20-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/2576-17-0x0000000000000000-mapping.dmp

Download
memory/2576-30-0x0000000007390000-0x0000000007391000-memory.dmp

Filesize
4KB

Download
memory/3768-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads