warzonerat | 5470a74090fda229660d99b498602172d806fee8a15ed77887788eb63f0ea785

General

Target

Copia de pago.exe
Size

1.7MB
MD5

b62f2ebe902cfe1cebb85b269f168637
SHA1

a11ffcc5ce46c65b8c79a02d9bdcae67f7d250b5
SHA256

5470a74090fda229660d99b498602172d806fee8a15ed77887788eb63f0ea785
SHA512

45c9b6e32c1a343d3f2c610d48e0f1c439d512806932c90a3e6800502dc9f941b2c5adf51a53a965c60ef5783913c6b036fa14b8e4be5a2509c493e9c7f2641f

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

79.134.225.50:5751

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1312-65-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1312-66-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/1312-68-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

1864 images.exe
Loads dropped DLL 1 IoCs

Processes:

Copia de pago.exe

pid process

1312 Copia de pago.exe

pid	process
1864	images.exe

pid	process
1312	Copia de pago.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Copia de pago.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	Copia de pago.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Copia de pago.exe

description pid process target process

PID 1652 set thread context of 1312 1652 Copia de pago.exe Copia de pago.exe

description	pid	process	target process
PID 1652 set thread context of 1312	1652	Copia de pago.exe	Copia de pago.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Copia de pago.exeCopia de pago.exe

description	pid	process	target process
PID 1652 wrote to memory of 1312	1652	Copia de pago.exe	Copia de pago.exe
PID 1652 wrote to memory of 1312	1652	Copia de pago.exe	Copia de pago.exe
PID 1652 wrote to memory of 1312	1652	Copia de pago.exe	Copia de pago.exe
PID 1652 wrote to memory of 1312	1652	Copia de pago.exe	Copia de pago.exe
PID 1652 wrote to memory of 1312	1652	Copia de pago.exe	Copia de pago.exe
PID 1652 wrote to memory of 1312	1652	Copia de pago.exe	Copia de pago.exe
PID 1652 wrote to memory of 1312	1652	Copia de pago.exe	Copia de pago.exe
PID 1652 wrote to memory of 1312	1652	Copia de pago.exe	Copia de pago.exe
PID 1652 wrote to memory of 1312	1652	Copia de pago.exe	Copia de pago.exe
PID 1652 wrote to memory of 1312	1652	Copia de pago.exe	Copia de pago.exe
PID 1652 wrote to memory of 1312	1652	Copia de pago.exe	Copia de pago.exe
PID 1652 wrote to memory of 1312	1652	Copia de pago.exe	Copia de pago.exe
PID 1312 wrote to memory of 1864	1312	Copia de pago.exe	images.exe
PID 1312 wrote to memory of 1864	1312	Copia de pago.exe	images.exe
PID 1312 wrote to memory of 1864	1312	Copia de pago.exe	images.exe
PID 1312 wrote to memory of 1864	1312	Copia de pago.exe	images.exe

C:\Users\Admin\AppData\Local\Temp\Copia de pago.exe
"C:\Users\Admin\AppData\Local\Temp\Copia de pago.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\Copia de pago.exe
  "C:\Users\Admin\AppData\Local\Temp\Copia de pago.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\ProgramData\images.exe
    "C:\ProgramData\images.exe"
    3⤵
    - Executes dropped EXE
    PID:1864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

MD5
b62f2ebe902cfe1cebb85b269f168637

SHA1
a11ffcc5ce46c65b8c79a02d9bdcae67f7d250b5

SHA256
5470a74090fda229660d99b498602172d806fee8a15ed77887788eb63f0ea785

SHA512
45c9b6e32c1a343d3f2c610d48e0f1c439d512806932c90a3e6800502dc9f941b2c5adf51a53a965c60ef5783913c6b036fa14b8e4be5a2509c493e9c7f2641f

Download Submit
C:\ProgramData\images.exe

MD5
b62f2ebe902cfe1cebb85b269f168637

SHA1
a11ffcc5ce46c65b8c79a02d9bdcae67f7d250b5

SHA256
5470a74090fda229660d99b498602172d806fee8a15ed77887788eb63f0ea785

SHA512
45c9b6e32c1a343d3f2c610d48e0f1c439d512806932c90a3e6800502dc9f941b2c5adf51a53a965c60ef5783913c6b036fa14b8e4be5a2509c493e9c7f2641f

Download Submit
\ProgramData\images.exe

MD5
b62f2ebe902cfe1cebb85b269f168637

SHA1
a11ffcc5ce46c65b8c79a02d9bdcae67f7d250b5

SHA256
5470a74090fda229660d99b498602172d806fee8a15ed77887788eb63f0ea785

SHA512
45c9b6e32c1a343d3f2c610d48e0f1c439d512806932c90a3e6800502dc9f941b2c5adf51a53a965c60ef5783913c6b036fa14b8e4be5a2509c493e9c7f2641f

Download Submit
memory/1312-66-0x0000000000405CE2-mapping.dmp

Download
memory/1312-65-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1312-67-0x0000000075411000-0x0000000075413000-memory.dmp

Filesize
8KB

Download
memory/1312-68-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1652-64-0x0000000000A70000-0x0000000000AAB000-memory.dmp

Filesize
236KB

Download
memory/1652-59-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/1652-63-0x0000000004F40000-0x0000000004FC1000-memory.dmp

Filesize
516KB

Download
memory/1652-62-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/1652-61-0x00000000003C0000-0x00000000003D4000-memory.dmp

Filesize
80KB

Download
memory/1864-70-0x0000000000000000-mapping.dmp

Download
memory/1864-73-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/1864-76-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads