warzonerat | b6c1e3eff87deab0b2b41040d22f74c3d824bffbd161f7248f51f3640ac7b590

Analysis

max time kernel
77s
max time network
151s
platform
windows10_x64
resource
win10v20201028
submitted
19-01-2021 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Symptomaticshon5.exe
Size

108KB
MD5

09b6c8f169567f8557b2d96d9f6d3644
SHA1

f37977654300daf97df6eea1235bac7ac706cc11
SHA256

b6c1e3eff87deab0b2b41040d22f74c3d824bffbd161f7248f51f3640ac7b590
SHA512

478839f9f93a4abb2d0e8e1c62f58c07839780631f1cdd8b288493967cdecf6e354603ad784f92e8b82425cb4868accdabb37f78cc6ea47d89ac5c1090fce5fa

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

185.239.242.145:4442

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3428-8-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral2/memory/2516-41-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

rundll.exe

pid process

924 rundll.exe
Loads dropped DLL 1 IoCs

Processes:

rundll.exe

pid process

2516 rundll.exe

pid	process
924	rundll.exe

pid	process
2516	rundll.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Symptomaticshon5.exerundll.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	Symptomaticshon5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\SENGEHES = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ydretslletspiru7\\Outsingi7.vbs"	Symptomaticshon5.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	rundll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\SENGEHES = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ydretslletspiru7\\Outsingi7.vbs"	rundll.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

Symptomaticshon5.exeSymptomaticshon5.exerundll.exerundll.exe

pid process

68 Symptomaticshon5.exe
3428 Symptomaticshon5.exe
3428 Symptomaticshon5.exe
924 rundll.exe
2516 rundll.exe
2516 rundll.exe

pid	process
68	Symptomaticshon5.exe
3428	Symptomaticshon5.exe
3428	Symptomaticshon5.exe
924	rundll.exe
2516	rundll.exe
2516	rundll.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Symptomaticshon5.exerundll.exe

description	pid	process	target process
PID 68 set thread context of 3428	68	Symptomaticshon5.exe	Symptomaticshon5.exe
PID 924 set thread context of 2516	924	rundll.exe	rundll.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Symptomaticshon5.exerundll.exe

pid process

68 Symptomaticshon5.exe
924 rundll.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Symptomaticshon5.exerundll.exe

pid process

68 Symptomaticshon5.exe
924 rundll.exe

pid	process
68	Symptomaticshon5.exe
924	rundll.exe

pid	process
68	Symptomaticshon5.exe
924	rundll.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Symptomaticshon5.exeSymptomaticshon5.exerundll.exerundll.exe

description	pid	process	target process
PID 68 wrote to memory of 3428	68	Symptomaticshon5.exe	Symptomaticshon5.exe
PID 68 wrote to memory of 3428	68	Symptomaticshon5.exe	Symptomaticshon5.exe
PID 68 wrote to memory of 3428	68	Symptomaticshon5.exe	Symptomaticshon5.exe
PID 68 wrote to memory of 3428	68	Symptomaticshon5.exe	Symptomaticshon5.exe
PID 3428 wrote to memory of 924	3428	Symptomaticshon5.exe	rundll.exe
PID 3428 wrote to memory of 924	3428	Symptomaticshon5.exe	rundll.exe
PID 3428 wrote to memory of 924	3428	Symptomaticshon5.exe	rundll.exe
PID 924 wrote to memory of 2516	924	rundll.exe	rundll.exe
PID 924 wrote to memory of 2516	924	rundll.exe	rundll.exe
PID 924 wrote to memory of 2516	924	rundll.exe	rundll.exe
PID 924 wrote to memory of 2516	924	rundll.exe	rundll.exe
PID 2516 wrote to memory of 3124	2516	rundll.exe	cmd.exe
PID 2516 wrote to memory of 3124	2516	rundll.exe	cmd.exe
PID 2516 wrote to memory of 3124	2516	rundll.exe	cmd.exe
PID 2516 wrote to memory of 3124	2516	rundll.exe	cmd.exe
PID 2516 wrote to memory of 3124	2516	rundll.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Symptomaticshon5.exe
"C:\Users\Admin\AppData\Local\Temp\Symptomaticshon5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:68

C:\Users\Admin\AppData\Local\Temp\Symptomaticshon5.exe
"C:\Users\Admin\AppData\Local\Temp\Symptomaticshon5.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3428

C:\ProgramData\rundll.exe
"C:\ProgramData\rundll.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:924

C:\ProgramData\rundll.exe
"C:\ProgramData\rundll.exe"
4⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:3124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rundll.exe

MD5
09b6c8f169567f8557b2d96d9f6d3644

SHA1
f37977654300daf97df6eea1235bac7ac706cc11

SHA256
b6c1e3eff87deab0b2b41040d22f74c3d824bffbd161f7248f51f3640ac7b590

SHA512
478839f9f93a4abb2d0e8e1c62f58c07839780631f1cdd8b288493967cdecf6e354603ad784f92e8b82425cb4868accdabb37f78cc6ea47d89ac5c1090fce5fa

Download Submit
C:\ProgramData\rundll.exe

MD5
09b6c8f169567f8557b2d96d9f6d3644

SHA1
f37977654300daf97df6eea1235bac7ac706cc11

SHA256
b6c1e3eff87deab0b2b41040d22f74c3d824bffbd161f7248f51f3640ac7b590

SHA512
478839f9f93a4abb2d0e8e1c62f58c07839780631f1cdd8b288493967cdecf6e354603ad784f92e8b82425cb4868accdabb37f78cc6ea47d89ac5c1090fce5fa

Download Submit
C:\ProgramData\rundll.exe

MD5
09b6c8f169567f8557b2d96d9f6d3644

SHA1
f37977654300daf97df6eea1235bac7ac706cc11

SHA256
b6c1e3eff87deab0b2b41040d22f74c3d824bffbd161f7248f51f3640ac7b590

SHA512
478839f9f93a4abb2d0e8e1c62f58c07839780631f1cdd8b288493967cdecf6e354603ad784f92e8b82425cb4868accdabb37f78cc6ea47d89ac5c1090fce5fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1E698CCB2C296D265AC1A253974E09FD_507D8E76B9B181409C8E098B073B8415

MD5
6ebbb510377546e225f6685aaff2c218

SHA1
00f53a4aac745b22f226e0d7a23c264deed39dfc

SHA256
1d417324ee61821e9cf65cf397c541d67937e5b34fc476be67413c2fd9c0e935

SHA512
1b1041662485832706fec350eb882500d6bc4221e756cc6095edcc569787552c8dfb845f28eec7527bd3b3e1b61d4f4e9c686b94a690e1cd0673b437a1c17051

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5887976EDAA817EEF5159B09F6FCD000_0E203DEEA1CF4E1256C816BA0BCE2CC3

MD5
328190e54ce5fe85be2904207680b960

SHA1
8ba455a81ee3e7410995c09969c9f52c64b20172

SHA256
e0f9c4f6ba5abd77f44100af40b475a77e552d8340f6309f1e4af4974412fc17

SHA512
f8aa42bd149d10e1c80b2ce7d4714276eae20c9b59204e3c9edc8cfcba148656294ed8053339be1cd1f94c93a641cb4f528c88baf015c0613d87e488d691b52a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_EE9DB89C3D6A328B5FEAFF0ED3C77874

MD5
3ffa5aba7f7f77909ad0659b5ae79c59

SHA1
4d66b8b58982c28a5e6fff022435c6d7c1eccc1f

SHA256
2fac2cf4fb7a432fa30ee0f22e38bc8bc0881576bb6162afdb871f1cee898256

SHA512
8a76f1c1a480079628710537684ceac8505e693e05c8b317ca9f22ffd2cee98caa32b62a6c84d3b6ed7b10e97a71ff9065037a2d034f602c2a2384d7a1eeaa1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

MD5
4daa63f1e1d59ae80936bd76cf9fa744

SHA1
0173e19a900bc4e8493514f47944241796740387

SHA256
c122ecc975b6c44ed6db67ec276e1c55f55aa8ce31e381d044c41ee8278eca27

SHA512
f2f738ac635a5392a54b47fd5993b763429c783336692b65251f783384e858b34b3279cbe4ec4b0c75e3285e22b24ce32fbcd234b2fca6904dab7248ff4e7513

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1E698CCB2C296D265AC1A253974E09FD_507D8E76B9B181409C8E098B073B8415

MD5
e4fd07618b1817b648c0c1777eada1a8

SHA1
4d13050f2f57bbc96986eb4431e128345aa4e4bc

SHA256
2c19801318c518ee158a4a93b999e18bad007c60435d36be2dfe96676998b2ba

SHA512
0da3e3053fe2d5d32a5b4c49d348e8bdb0418f0e16a7749cdd8cda9b22570f807e8fa51de4fa94c48618cf0f0312214c833301cd34a4360c7a0f2ed64dfcc9b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5887976EDAA817EEF5159B09F6FCD000_0E203DEEA1CF4E1256C816BA0BCE2CC3

MD5
2e143d15320e05638cd18a0799eeb7b3

SHA1
64a61f2224563cbe9ff059b77a6099ba8cedb107

SHA256
3309a23d88931df0ce5d6967003bcb3ac510f4521c0eeb0a431d6c9cc04f5d9f

SHA512
f575928443cc3f350ceadd3fda35f71bb588064a57fa80aed2b953da5f869343c9075abcfdb71dcb100b0569d50042784e5afaee15393c7fa04a056df48d473c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_EE9DB89C3D6A328B5FEAFF0ED3C77874

MD5
b06b00baba3ed3bf7fb0429e4ebb3665

SHA1
825a7cb55c4bd38c33eb4a13d621252261262095

SHA256
e0b1a336b997bc44de5c860bec9ea6b5055ef431c72ee9ffae427ff7297e01d1

SHA512
a4394a859643041044353f3e73282d165d7cd5665499917f660212252970c39f71d4029af934d5e972f33d8d38adfbab5003f9f618282987473943c4fcbd084b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

MD5
b9c5224e2f34228c970ddce39c20af26

SHA1
b2bc7682b633f16b9e0b6707e31845a8bd0f1f1d

SHA256
c3d81626a6b92223b22dd5ebe55105b5c7d43186a7b578f9d8f2b882d89021df

SHA512
48cb89b80a0f33ef844b6ea748165281b90b803bfd2d5286cb1d33f4b356d691592fc2b634e87370cbd4f36c08b287c9cf4023853b9a84be4553e1d0e8e62056

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ydretslletspiru7\Outsingi7.exe

MD5
09b6c8f169567f8557b2d96d9f6d3644

SHA1
f37977654300daf97df6eea1235bac7ac706cc11

SHA256
b6c1e3eff87deab0b2b41040d22f74c3d824bffbd161f7248f51f3640ac7b590

SHA512
478839f9f93a4abb2d0e8e1c62f58c07839780631f1cdd8b288493967cdecf6e354603ad784f92e8b82425cb4868accdabb37f78cc6ea47d89ac5c1090fce5fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ydretslletspiru7\Outsingi7.vbs

MD5
c814e9cd20864913ac2aba6eda254b80

SHA1
0e5ad1325bf6890548850b51faa6f99a618fa8ae

SHA256
94a6f90b3880c06ce3de5d782e722b1006c167138e94a50ba75b97aeeb27d167

SHA512
dd1acb2d6bc34da5df7bfc086c95b787ca681c11c259b022638ff9c023029bc78958b4e4e0e59e5dabb02cde2a435658b50b958bbe91c19cd9e64638df681c0e

Download Submit
memory/68-4-0x0000000002A10000-0x0000000002A1E000-memory.dmp

Filesize
56KB

Download
memory/924-9-0x0000000000000000-mapping.dmp

Download
memory/2516-41-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2516-27-0x000000000040117C-mapping.dmp

Download
memory/2516-30-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2516-56-0x0000000000406000-0x0000000000407000-memory.dmp

Filesize
4KB

Download
memory/3124-42-0x0000000000000000-mapping.dmp

Download
memory/3124-55-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/3428-14-0x0000000000405000-0x0000000000406000-memory.dmp

Filesize
4KB

Download
memory/3428-25-0x0000000000404000-0x0000000000405000-memory.dmp

Filesize
4KB

Download
memory/3428-24-0x000000000040C000-0x000000000040D000-memory.dmp

Filesize
4KB

Download
memory/3428-23-0x000000000040E000-0x000000000040F000-memory.dmp

Filesize
4KB

Download
memory/3428-21-0x000000000040B000-0x000000000040C000-memory.dmp

Filesize
4KB

Download
memory/3428-22-0x0000000000408000-0x0000000000409000-memory.dmp

Filesize
4KB

Download
memory/3428-19-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/3428-20-0x0000000000403000-0x0000000000404000-memory.dmp

Filesize
4KB

Download
memory/3428-17-0x000000000040D000-0x000000000040E000-memory.dmp

Filesize
4KB

Download
memory/3428-18-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/3428-16-0x000000000040F000-0x0000000000410000-memory.dmp

Filesize
4KB

Download
memory/3428-15-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/3428-8-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3428-7-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/3428-6-0x0000000000401000-0x00000000004FD000-memory.dmp

Filesize
1008KB

Download
memory/3428-5-0x000000000040117C-mapping.dmp

Download