warzonerat | b730bb13134ec777d56a12867d2bca49a1131a49393ab1fa23dcb27a1d3b3cd7

General

Target

DrawingKit.exe
Size

2.6MB
MD5

afbbc77f23451f4251297a09759ace85
SHA1

6be1dfae9a86a0fd7dcfefca2c0f52b17041b152
SHA256

b730bb13134ec777d56a12867d2bca49a1131a49393ab1fa23dcb27a1d3b3cd7
SHA512

f8572e449ec04140a52873c12565f52521e5beafe5312b76422c4b8b91c03cc36652a6eae6a72c7b364bb198538f4bcc1859b23b4d2966869c233284a28350e6

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

cfr.eur-import.com:6021

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2176-120-0x0000000002E00000-0x0000000002F54000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

CompareTuner.exe

pid process

2176 CompareTuner.exe
Loads dropped DLL 1 IoCs

Processes:

CompareTuner.exe

pid process

2176 CompareTuner.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2176	CompareTuner.exe

pid	process
2176	CompareTuner.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

DrawingKit.exe

description	pid	process	target process
PID 3872 wrote to memory of 2176	3872	DrawingKit.exe	CompareTuner.exe
PID 3872 wrote to memory of 2176	3872	DrawingKit.exe	CompareTuner.exe
PID 3872 wrote to memory of 2176	3872	DrawingKit.exe	CompareTuner.exe

C:\Users\Admin\AppData\Local\Temp\DrawingKit.exe
"C:\Users\Admin\AppData\Local\Temp\DrawingKit.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3872

C:\Users\Admin\AppData\Roaming\CompareTunerSoftware\CompareTuner.exe
C:\Users\Admin\AppData\Roaming\CompareTunerSoftware\CompareTuner.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\CompareTunerSoftware\CompareTuner.exe
MD5
5bfc5521c712e2c509cd702d30f3f13e

SHA1
1a230d69c77a89824a2a34dd8f32a46c9f53e2b9

SHA256
53264e3f2d74843961e002c3337a0c17d2f615ce788dc52cbea29c86da07e1a0

SHA512
0446789a70e125a7e824f099666bad256d06a27d489742e63ff984f9998d71cf960dae0958fca4972675092d09451b1afcc4228ef8dd6fd81f6fd067c4fad280

Download Submit
C:\Users\Admin\AppData\Roaming\CompareTunerSoftware\CompareTuner.exe
MD5
5bfc5521c712e2c509cd702d30f3f13e

SHA1
1a230d69c77a89824a2a34dd8f32a46c9f53e2b9

SHA256
53264e3f2d74843961e002c3337a0c17d2f615ce788dc52cbea29c86da07e1a0

SHA512
0446789a70e125a7e824f099666bad256d06a27d489742e63ff984f9998d71cf960dae0958fca4972675092d09451b1afcc4228ef8dd6fd81f6fd067c4fad280

Download Submit
C:\Users\Admin\AppData\Roaming\CompareTunerSoftware\settings.xml
MD5
ec45e757a96aba48f228d67fd57e745d

SHA1
cb41ee83dd8a1c91dbada3d15921c2ca6ecf6b92

SHA256
470c4cdcaa82483b6bb5eae801f780ab61d614faf294e1b74442284db73d62e0

SHA512
6b63a3d9646e9263c5f30fd87905db95bd69396d1f437c755b7631a492d8eafa39d50afe709bf3a43df6d388559cd400b449197f3a19f8230f365fee90d2d691

Download Submit
C:\Users\Admin\AppData\Roaming\CompareTunerSoftware\taglib5.dll
MD5
6a4d8c9aa266df82555326a1972d8b64

SHA1
27bf2873027a7162816116154b281235c515a00a

SHA256
474bda95a44737096755e27e6952e78c103b73a078446085870c2b1cf984691a

SHA512
8077b142937689d9aa91e185bb39750daf9dac877070cc6943bdaf1e4fa3cfa45743dec47413fd60afaf59964740c7a822458f3dad81dc511a91caa2ae45cd16

Download Submit
\Users\Admin\AppData\Roaming\CompareTunerSoftware\taglib5.dll
MD5
6a4d8c9aa266df82555326a1972d8b64

SHA1
27bf2873027a7162816116154b281235c515a00a

SHA256
474bda95a44737096755e27e6952e78c103b73a078446085870c2b1cf984691a

SHA512
8077b142937689d9aa91e185bb39750daf9dac877070cc6943bdaf1e4fa3cfa45743dec47413fd60afaf59964740c7a822458f3dad81dc511a91caa2ae45cd16

Download Submit
memory/2176-114-0x0000000000000000-mapping.dmp

Download
memory/2176-120-0x0000000002E00000-0x0000000002F54000-memory.dmp

Filesize
1.3MB

Download
memory/2176-126-0x00000000031E0000-0x0000000003640000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing