warzonerat | a8e9ff8520a1ddf67e25641f39246976117be887b68d8bc24c890ae511723254

General

Target

SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe
Size

1.3MB
MD5

e7e098ec6c3ca85ffd4cb7f2c4605311
SHA1

8d300f5e2ca8375173de14d4319209f16fc1c10e
SHA256

a8e9ff8520a1ddf67e25641f39246976117be887b68d8bc24c890ae511723254
SHA512

4ba3b152268116d36c33e5e1a7f079b907d68465084da8725225b08de4ffaadc42bc9464806b359ab197031be2bb7554c1d422773f66bc469b2701d96a0b77d0

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

79.134.225.94:5352

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/556-65-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/556-66-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/556-68-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

1288 images.exe
Loads dropped DLL 1 IoCs

Processes:

SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe

pid process

556 SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe

pid	process
1288	images.exe

pid	process
556	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe

description	pid	process	target process
PID 320 set thread context of 556	320	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exeSecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:320
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\ProgramData\images.exe
    "C:\ProgramData\images.exe"
    3⤵
    - Executes dropped EXE
    PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

MD5
e7e098ec6c3ca85ffd4cb7f2c4605311

SHA1
8d300f5e2ca8375173de14d4319209f16fc1c10e

SHA256
a8e9ff8520a1ddf67e25641f39246976117be887b68d8bc24c890ae511723254

SHA512
4ba3b152268116d36c33e5e1a7f079b907d68465084da8725225b08de4ffaadc42bc9464806b359ab197031be2bb7554c1d422773f66bc469b2701d96a0b77d0

Download Submit
C:\ProgramData\images.exe

MD5
e7e098ec6c3ca85ffd4cb7f2c4605311

SHA1
8d300f5e2ca8375173de14d4319209f16fc1c10e

SHA256
a8e9ff8520a1ddf67e25641f39246976117be887b68d8bc24c890ae511723254

SHA512
4ba3b152268116d36c33e5e1a7f079b907d68465084da8725225b08de4ffaadc42bc9464806b359ab197031be2bb7554c1d422773f66bc469b2701d96a0b77d0

Download Submit
\ProgramData\images.exe

MD5
e7e098ec6c3ca85ffd4cb7f2c4605311

SHA1
8d300f5e2ca8375173de14d4319209f16fc1c10e

SHA256
a8e9ff8520a1ddf67e25641f39246976117be887b68d8bc24c890ae511723254

SHA512
4ba3b152268116d36c33e5e1a7f079b907d68465084da8725225b08de4ffaadc42bc9464806b359ab197031be2bb7554c1d422773f66bc469b2701d96a0b77d0

Download Submit
memory/320-63-0x00000000051D0000-0x000000000524C000-memory.dmp

Filesize
496KB

Download
memory/320-64-0x0000000000970000-0x00000000009A5000-memory.dmp

Filesize
212KB

Download
memory/320-59-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/320-62-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/320-61-0x00000000004B0000-0x00000000004CE000-memory.dmp

Filesize
120KB

Download
memory/556-65-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/556-66-0x0000000000405CE2-mapping.dmp

Download
memory/556-67-0x0000000075051000-0x0000000075053000-memory.dmp

Filesize
8KB

Download
memory/556-68-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1288-70-0x0000000000000000-mapping.dmp

Download
memory/1288-73-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/1288-76-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 320 wrote to memory of 556	320	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe
PID 320 wrote to memory of 556	320	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe
PID 320 wrote to memory of 556	320	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe
PID 320 wrote to memory of 556	320	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe
PID 320 wrote to memory of 556	320	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe
PID 320 wrote to memory of 556	320	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe
PID 320 wrote to memory of 556	320	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe
PID 320 wrote to memory of 556	320	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe
PID 320 wrote to memory of 556	320	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe
PID 320 wrote to memory of 556	320	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe
PID 320 wrote to memory of 556	320	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe
PID 320 wrote to memory of 556	320	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe
PID 556 wrote to memory of 1288	556	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe	images.exe
PID 556 wrote to memory of 1288	556	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe	images.exe
PID 556 wrote to memory of 1288	556	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe	images.exe
PID 556 wrote to memory of 1288	556	SecuriteInfo.com.Trojan.Win32.Save.a.16917.11217.exe	images.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads