warzonerat | 55f6e402d458c2d35fca88a85bc8891d997730198cdfea1313bb66c3107394aa

General

Target

Order Sample.exe
Size

548KB
MD5

019959ee5ce020ae98d3936096ac5236
SHA1

748d678080173daebbd8e41858b38b67bcfbc462
SHA256

55f6e402d458c2d35fca88a85bc8891d997730198cdfea1313bb66c3107394aa
SHA512

c4998b282f57e653d4f43764dac8ea48995c8e08313e9bfc00651adb615cf719ce965ed9d88a311a2aaab820e51221c8171c3761d9ccf960f4cfb3fc11446e79

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

176.31.159.203:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1324-65-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1324-66-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/1324-68-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1848-80-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/1848-83-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

images.exeimages.exe

pid process

1880 images.exe
1848 images.exe
Loads dropped DLL 1 IoCs

Processes:

Order Sample.exe

pid process

1324 Order Sample.exe

pid	process
1880	images.exe
1848	images.exe

pid	process
1324	Order Sample.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Order Sample.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	Order Sample.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Order Sample.exeimages.exe

description	pid	process	target process
PID 1672 set thread context of 1324	1672	Order Sample.exe	Order Sample.exe
PID 1880 set thread context of 1848	1880	images.exe	images.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

Order Sample.exeOrder Sample.exeimages.exe

description	pid	process	target process
PID 1672 wrote to memory of 1324	1672	Order Sample.exe	Order Sample.exe
PID 1672 wrote to memory of 1324	1672	Order Sample.exe	Order Sample.exe
PID 1672 wrote to memory of 1324	1672	Order Sample.exe	Order Sample.exe
PID 1672 wrote to memory of 1324	1672	Order Sample.exe	Order Sample.exe
PID 1672 wrote to memory of 1324	1672	Order Sample.exe	Order Sample.exe
PID 1672 wrote to memory of 1324	1672	Order Sample.exe	Order Sample.exe
PID 1672 wrote to memory of 1324	1672	Order Sample.exe	Order Sample.exe
PID 1672 wrote to memory of 1324	1672	Order Sample.exe	Order Sample.exe
PID 1672 wrote to memory of 1324	1672	Order Sample.exe	Order Sample.exe
PID 1672 wrote to memory of 1324	1672	Order Sample.exe	Order Sample.exe
PID 1672 wrote to memory of 1324	1672	Order Sample.exe	Order Sample.exe
PID 1672 wrote to memory of 1324	1672	Order Sample.exe	Order Sample.exe
PID 1324 wrote to memory of 1880	1324	Order Sample.exe	images.exe
PID 1324 wrote to memory of 1880	1324	Order Sample.exe	images.exe
PID 1324 wrote to memory of 1880	1324	Order Sample.exe	images.exe
PID 1324 wrote to memory of 1880	1324	Order Sample.exe	images.exe
PID 1880 wrote to memory of 1848	1880	images.exe	images.exe
PID 1880 wrote to memory of 1848	1880	images.exe	images.exe
PID 1880 wrote to memory of 1848	1880	images.exe	images.exe
PID 1880 wrote to memory of 1848	1880	images.exe	images.exe
PID 1880 wrote to memory of 1848	1880	images.exe	images.exe
PID 1880 wrote to memory of 1848	1880	images.exe	images.exe
PID 1880 wrote to memory of 1848	1880	images.exe	images.exe
PID 1880 wrote to memory of 1848	1880	images.exe	images.exe
PID 1880 wrote to memory of 1848	1880	images.exe	images.exe
PID 1880 wrote to memory of 1848	1880	images.exe	images.exe
PID 1880 wrote to memory of 1848	1880	images.exe	images.exe
PID 1880 wrote to memory of 1848	1880	images.exe	images.exe

C:\Users\Admin\AppData\Local\Temp\Order Sample.exe
"C:\Users\Admin\AppData\Local\Temp\Order Sample.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\Order Sample.exe
  "{path}"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\ProgramData\images.exe
    "C:\ProgramData\images.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\ProgramData\images.exe
      "{path}"
      4⤵
      Executes dropped EXE
      PID:1848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

MD5
019959ee5ce020ae98d3936096ac5236

SHA1
748d678080173daebbd8e41858b38b67bcfbc462

SHA256
55f6e402d458c2d35fca88a85bc8891d997730198cdfea1313bb66c3107394aa

SHA512
c4998b282f57e653d4f43764dac8ea48995c8e08313e9bfc00651adb615cf719ce965ed9d88a311a2aaab820e51221c8171c3761d9ccf960f4cfb3fc11446e79

Download Submit
C:\ProgramData\images.exe

MD5
019959ee5ce020ae98d3936096ac5236

SHA1
748d678080173daebbd8e41858b38b67bcfbc462

SHA256
55f6e402d458c2d35fca88a85bc8891d997730198cdfea1313bb66c3107394aa

SHA512
c4998b282f57e653d4f43764dac8ea48995c8e08313e9bfc00651adb615cf719ce965ed9d88a311a2aaab820e51221c8171c3761d9ccf960f4cfb3fc11446e79

Download Submit
C:\ProgramData\images.exe

MD5
019959ee5ce020ae98d3936096ac5236

SHA1
748d678080173daebbd8e41858b38b67bcfbc462

SHA256
55f6e402d458c2d35fca88a85bc8891d997730198cdfea1313bb66c3107394aa

SHA512
c4998b282f57e653d4f43764dac8ea48995c8e08313e9bfc00651adb615cf719ce965ed9d88a311a2aaab820e51221c8171c3761d9ccf960f4cfb3fc11446e79

Download Submit
\ProgramData\images.exe

MD5
019959ee5ce020ae98d3936096ac5236

SHA1
748d678080173daebbd8e41858b38b67bcfbc462

SHA256
55f6e402d458c2d35fca88a85bc8891d997730198cdfea1313bb66c3107394aa

SHA512
c4998b282f57e653d4f43764dac8ea48995c8e08313e9bfc00651adb615cf719ce965ed9d88a311a2aaab820e51221c8171c3761d9ccf960f4cfb3fc11446e79

Download Submit
memory/1324-68-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1324-65-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1324-66-0x0000000000405CE2-mapping.dmp

Download
memory/1324-67-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1672-63-0x0000000004DA0000-0x0000000004E11000-memory.dmp

Filesize
452KB

Download
memory/1672-64-0x00000000040C0000-0x00000000040E3000-memory.dmp

Filesize
140KB

Download
memory/1672-59-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/1672-62-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/1672-61-0x00000000003C0000-0x00000000003C2000-memory.dmp

Filesize
8KB

Download
memory/1848-80-0x0000000000405CE2-mapping.dmp

Download
memory/1848-83-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1880-70-0x0000000000000000-mapping.dmp

Download
memory/1880-73-0x00000000013A0000-0x00000000013A1000-memory.dmp

Filesize
4KB

Download
memory/1880-76-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads