warzonerat | a00feeae0a1b83aef1d8799207ea717e339c4709a197652d5450cb9f58d48666

General

Target

tt.exe
Size

3.0MB
MD5

dbcf9780b5cf4dc830a9f0622a730034
SHA1

8b8fb0e31efc48f7ac2c396439dc7bf21e8f55e3
SHA256

a00feeae0a1b83aef1d8799207ea717e339c4709a197652d5450cb9f58d48666
SHA512

4de12fd737b21057c736bb6f2f9f64607a90fbceb33af8da426467815a4d4343d63a370678c320549c08c54f39d6c1335ceacb101d3d5f541594295aebef4abf

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

54.39.198.162:8842

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1268-60-0x0000000002260000-0x00000000023B4000-memory.dmp	warzonerat
behavioral1/memory/1268-65-0x0000000002400000-0x0000000002F00000-memory.dmp	warzonerat
behavioral1/memory/608-70-0x0000000002CE0000-0x0000000002E34000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

Images.exe

pid process

608 Images.exe
Loads dropped DLL 1 IoCs

Processes:

tt.exe

pid process

1268 tt.exe

pid	process
608	Images.exe

pid	process
1268	tt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tt.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images.exe = "C:\\ProgramData\\Images.exe"	tt.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

tt.exe

description	pid	process	target process
PID 1268 wrote to memory of 608	1268	tt.exe	Images.exe
PID 1268 wrote to memory of 608	1268	tt.exe	Images.exe
PID 1268 wrote to memory of 608	1268	tt.exe	Images.exe
PID 1268 wrote to memory of 608	1268	tt.exe	Images.exe

C:\Users\Admin\AppData\Local\Temp\tt.exe
"C:\Users\Admin\AppData\Local\Temp\tt.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1268

C:\ProgramData\Images.exe
"C:\ProgramData\Images.exe"
2⤵
- Executes dropped EXE
PID:608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Images.exe
MD5
dbcf9780b5cf4dc830a9f0622a730034

SHA1
8b8fb0e31efc48f7ac2c396439dc7bf21e8f55e3

SHA256
a00feeae0a1b83aef1d8799207ea717e339c4709a197652d5450cb9f58d48666

SHA512
4de12fd737b21057c736bb6f2f9f64607a90fbceb33af8da426467815a4d4343d63a370678c320549c08c54f39d6c1335ceacb101d3d5f541594295aebef4abf

Download Submit
C:\ProgramData\Images.exe
MD5
dbcf9780b5cf4dc830a9f0622a730034

SHA1
8b8fb0e31efc48f7ac2c396439dc7bf21e8f55e3

SHA256
a00feeae0a1b83aef1d8799207ea717e339c4709a197652d5450cb9f58d48666

SHA512
4de12fd737b21057c736bb6f2f9f64607a90fbceb33af8da426467815a4d4343d63a370678c320549c08c54f39d6c1335ceacb101d3d5f541594295aebef4abf

Download Submit
\ProgramData\Images.exe
MD5
dbcf9780b5cf4dc830a9f0622a730034

SHA1
8b8fb0e31efc48f7ac2c396439dc7bf21e8f55e3

SHA256
a00feeae0a1b83aef1d8799207ea717e339c4709a197652d5450cb9f58d48666

SHA512
4de12fd737b21057c736bb6f2f9f64607a90fbceb33af8da426467815a4d4343d63a370678c320549c08c54f39d6c1335ceacb101d3d5f541594295aebef4abf

Download Submit
memory/608-67-0x0000000000000000-mapping.dmp

Download
memory/608-70-0x0000000002CE0000-0x0000000002E34000-memory.dmp

Filesize
1.3MB

Download
memory/1268-59-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1268-60-0x0000000002260000-0x00000000023B4000-memory.dmp

Filesize
1.3MB

Download
memory/1268-65-0x0000000002400000-0x0000000002F00000-memory.dmp

Filesize
11.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads