warzonerat | b6c1e3eff87deab0b2b41040d22f74c3d824bffbd161f7248f51f3640ac7b590

Analysis

max time kernel
77s
max time network
141s
platform
windows10_x64
resource
win10v20201028
submitted
19-01-2021 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Symptomaticshon5.exe
Size

108KB
MD5

09b6c8f169567f8557b2d96d9f6d3644
SHA1

f37977654300daf97df6eea1235bac7ac706cc11
SHA256

b6c1e3eff87deab0b2b41040d22f74c3d824bffbd161f7248f51f3640ac7b590
SHA512

478839f9f93a4abb2d0e8e1c62f58c07839780631f1cdd8b288493967cdecf6e354603ad784f92e8b82425cb4868accdabb37f78cc6ea47d89ac5c1090fce5fa

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

185.239.242.145:4442

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2620-8-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral2/memory/2100-39-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

rundll.exe

pid process

2844 rundll.exe
Loads dropped DLL 1 IoCs

Processes:

rundll.exe

pid process

2100 rundll.exe

pid	process
2844	rundll.exe

pid	process
2100	rundll.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Symptomaticshon5.exerundll.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	Symptomaticshon5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\SENGEHES = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ydretslletspiru7\\Outsingi7.vbs"	Symptomaticshon5.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\SENGEHES = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ydretslletspiru7\\Outsingi7.vbs"	rundll.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

Symptomaticshon5.exeSymptomaticshon5.exerundll.exerundll.exe

pid process

648 Symptomaticshon5.exe
2620 Symptomaticshon5.exe
2620 Symptomaticshon5.exe
2844 rundll.exe
2100 rundll.exe
2100 rundll.exe

pid	process
648	Symptomaticshon5.exe
2620	Symptomaticshon5.exe
2620	Symptomaticshon5.exe
2844	rundll.exe
2100	rundll.exe
2100	rundll.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Symptomaticshon5.exerundll.exe

description	pid	process	target process
PID 648 set thread context of 2620	648	Symptomaticshon5.exe	Symptomaticshon5.exe
PID 2844 set thread context of 2100	2844	rundll.exe	rundll.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Symptomaticshon5.exerundll.exe

pid process

648 Symptomaticshon5.exe
2844 rundll.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Symptomaticshon5.exerundll.exe

pid process

648 Symptomaticshon5.exe
2844 rundll.exe

pid	process
648	Symptomaticshon5.exe
2844	rundll.exe

pid	process
648	Symptomaticshon5.exe
2844	rundll.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Symptomaticshon5.exeSymptomaticshon5.exerundll.exerundll.exe

description	pid	process	target process
PID 648 wrote to memory of 2620	648	Symptomaticshon5.exe	Symptomaticshon5.exe
PID 648 wrote to memory of 2620	648	Symptomaticshon5.exe	Symptomaticshon5.exe
PID 648 wrote to memory of 2620	648	Symptomaticshon5.exe	Symptomaticshon5.exe
PID 648 wrote to memory of 2620	648	Symptomaticshon5.exe	Symptomaticshon5.exe
PID 2620 wrote to memory of 2844	2620	Symptomaticshon5.exe	rundll.exe
PID 2620 wrote to memory of 2844	2620	Symptomaticshon5.exe	rundll.exe
PID 2620 wrote to memory of 2844	2620	Symptomaticshon5.exe	rundll.exe
PID 2844 wrote to memory of 2100	2844	rundll.exe	rundll.exe
PID 2844 wrote to memory of 2100	2844	rundll.exe	rundll.exe
PID 2844 wrote to memory of 2100	2844	rundll.exe	rundll.exe
PID 2844 wrote to memory of 2100	2844	rundll.exe	rundll.exe
PID 2100 wrote to memory of 2280	2100	rundll.exe	cmd.exe
PID 2100 wrote to memory of 2280	2100	rundll.exe	cmd.exe
PID 2100 wrote to memory of 2280	2100	rundll.exe	cmd.exe
PID 2100 wrote to memory of 2280	2100	rundll.exe	cmd.exe
PID 2100 wrote to memory of 2280	2100	rundll.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Symptomaticshon5.exe
"C:\Users\Admin\AppData\Local\Temp\Symptomaticshon5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:648

C:\Users\Admin\AppData\Local\Temp\Symptomaticshon5.exe
"C:\Users\Admin\AppData\Local\Temp\Symptomaticshon5.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2620

C:\ProgramData\rundll.exe
"C:\ProgramData\rundll.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844

C:\ProgramData\rundll.exe
"C:\ProgramData\rundll.exe"
4⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:2280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rundll.exe
MD5
09b6c8f169567f8557b2d96d9f6d3644

SHA1
f37977654300daf97df6eea1235bac7ac706cc11

SHA256
b6c1e3eff87deab0b2b41040d22f74c3d824bffbd161f7248f51f3640ac7b590

SHA512
478839f9f93a4abb2d0e8e1c62f58c07839780631f1cdd8b288493967cdecf6e354603ad784f92e8b82425cb4868accdabb37f78cc6ea47d89ac5c1090fce5fa

Download Submit
C:\ProgramData\rundll.exe
MD5
09b6c8f169567f8557b2d96d9f6d3644

SHA1
f37977654300daf97df6eea1235bac7ac706cc11

SHA256
b6c1e3eff87deab0b2b41040d22f74c3d824bffbd161f7248f51f3640ac7b590

SHA512
478839f9f93a4abb2d0e8e1c62f58c07839780631f1cdd8b288493967cdecf6e354603ad784f92e8b82425cb4868accdabb37f78cc6ea47d89ac5c1090fce5fa

Download Submit
C:\ProgramData\rundll.exe
MD5
09b6c8f169567f8557b2d96d9f6d3644

SHA1
f37977654300daf97df6eea1235bac7ac706cc11

SHA256
b6c1e3eff87deab0b2b41040d22f74c3d824bffbd161f7248f51f3640ac7b590

SHA512
478839f9f93a4abb2d0e8e1c62f58c07839780631f1cdd8b288493967cdecf6e354603ad784f92e8b82425cb4868accdabb37f78cc6ea47d89ac5c1090fce5fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1E698CCB2C296D265AC1A253974E09FD_507D8E76B9B181409C8E098B073B8415
MD5
6ebbb510377546e225f6685aaff2c218

SHA1
00f53a4aac745b22f226e0d7a23c264deed39dfc

SHA256
1d417324ee61821e9cf65cf397c541d67937e5b34fc476be67413c2fd9c0e935

SHA512
1b1041662485832706fec350eb882500d6bc4221e756cc6095edcc569787552c8dfb845f28eec7527bd3b3e1b61d4f4e9c686b94a690e1cd0673b437a1c17051

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_EE9DB89C3D6A328B5FEAFF0ED3C77874
MD5
3ffa5aba7f7f77909ad0659b5ae79c59

SHA1
4d66b8b58982c28a5e6fff022435c6d7c1eccc1f

SHA256
2fac2cf4fb7a432fa30ee0f22e38bc8bc0881576bb6162afdb871f1cee898256

SHA512
8a76f1c1a480079628710537684ceac8505e693e05c8b317ca9f22ffd2cee98caa32b62a6c84d3b6ed7b10e97a71ff9065037a2d034f602c2a2384d7a1eeaa1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
MD5
4daa63f1e1d59ae80936bd76cf9fa744

SHA1
0173e19a900bc4e8493514f47944241796740387

SHA256
c122ecc975b6c44ed6db67ec276e1c55f55aa8ce31e381d044c41ee8278eca27

SHA512
f2f738ac635a5392a54b47fd5993b763429c783336692b65251f783384e858b34b3279cbe4ec4b0c75e3285e22b24ce32fbcd234b2fca6904dab7248ff4e7513

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1E698CCB2C296D265AC1A253974E09FD_507D8E76B9B181409C8E098B073B8415
MD5
fe6913b586ef0fb7ed9f0b2071d22b2d

SHA1
e6697f3afd4f66edf333f881c231c0e99e67a2eb

SHA256
7251f780a5078f0aef0224f1e56b88b85e5b3f406e690d72ed43cab95e490c68

SHA512
1f7817be6f8b61d4ccefcf232aed7104445bd856fcbff7af79f94db1692bae6fe82557ed4eeb143087df52f25b6d99dd40313f2cbc27b9f39fe4bdfa87bfe05f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_EE9DB89C3D6A328B5FEAFF0ED3C77874
MD5
9fc3fd3b6b2a7072ceccca835168eb05

SHA1
5ecb718d2a34f7abbf85fd40d15a93e0e1cc28f6

SHA256
449821953c454230601e765ae02d48c2fb36f338af600a9f030319f86abec026

SHA512
74a3ffdb0f37829628b7a57348f81c8c69e68f6370219fe1fc6fd950063d95a331a1f061b555fd43ccb18da3a9dfeaeae3f65aafe4dce6f1a3e940c19c94226e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
MD5
115b69d23bd0057e00d1c5b722a2eebf

SHA1
1262c1b6a662b3aa54f840e4e4e069ced216b486

SHA256
54617716b7d63abb3b3ed8607ef192e80642dca41e4fd63c728c1599055f6fc6

SHA512
6d8da0a763f64296a56afcb8826140a19a5a68892d66165fc378848859a71135563e8b82e0ba794979fe4969e861ed719be6c44bd90945c6b789a101ff6d28ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ydretslletspiru7\Outsingi7.exe
MD5
09b6c8f169567f8557b2d96d9f6d3644

SHA1
f37977654300daf97df6eea1235bac7ac706cc11

SHA256
b6c1e3eff87deab0b2b41040d22f74c3d824bffbd161f7248f51f3640ac7b590

SHA512
478839f9f93a4abb2d0e8e1c62f58c07839780631f1cdd8b288493967cdecf6e354603ad784f92e8b82425cb4868accdabb37f78cc6ea47d89ac5c1090fce5fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ydretslletspiru7\Outsingi7.vbs
MD5
c814e9cd20864913ac2aba6eda254b80

SHA1
0e5ad1325bf6890548850b51faa6f99a618fa8ae

SHA256
94a6f90b3880c06ce3de5d782e722b1006c167138e94a50ba75b97aeeb27d167

SHA512
dd1acb2d6bc34da5df7bfc086c95b787ca681c11c259b022638ff9c023029bc78958b4e4e0e59e5dabb02cde2a435658b50b958bbe91c19cd9e64638df681c0e

Download Submit
memory/648-4-0x0000000002240000-0x000000000224E000-memory.dmp

Filesize
56KB

Download
memory/2100-27-0x000000000040117C-mapping.dmp

Download
memory/2100-39-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2100-30-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2100-54-0x0000000000406000-0x0000000000407000-memory.dmp

Filesize
4KB

Download
memory/2280-43-0x0000000000000000-mapping.dmp

Download
memory/2280-53-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/2620-15-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2620-17-0x000000000040D000-0x000000000040E000-memory.dmp

Filesize
4KB

Download
memory/2620-25-0x0000000000404000-0x0000000000405000-memory.dmp

Filesize
4KB

Download
memory/2620-24-0x000000000040C000-0x000000000040D000-memory.dmp

Filesize
4KB

Download
memory/2620-23-0x000000000040E000-0x000000000040F000-memory.dmp

Filesize
4KB

Download
memory/2620-22-0x0000000000408000-0x0000000000409000-memory.dmp

Filesize
4KB

Download
memory/2620-21-0x000000000040B000-0x000000000040C000-memory.dmp

Filesize
4KB

Download
memory/2620-19-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/2620-18-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2620-20-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/2620-16-0x000000000040F000-0x0000000000410000-memory.dmp

Filesize
4KB

Download
memory/2620-14-0x0000000000405000-0x0000000000406000-memory.dmp

Filesize
4KB

Download
memory/2620-5-0x000000000040117C-mapping.dmp

Download
memory/2620-8-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2620-7-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2620-6-0x0000000000401000-0x00000000004FD000-memory.dmp

Filesize
1008KB

Download
memory/2844-9-0x0000000000000000-mapping.dmp

Download