warzonerat | 22375ee635115a132f557df892d58c04f76d6d9eae8a77340e9a746273aae4f2

General

Target

PDF.exe
Size

807KB
MD5

1032e6ffdbb406b3ee80d7c50989e2b5
SHA1

fb63c770ba76d25f181be481acef62aa2cf5f82c
SHA256

be38a69081db308b628205a8d3bf1053120da733b05f38ac497a295723d2b29f
SHA512

bd5203164dd2a966c1db164f6d472615932a673d7be6105c5c36a130e1bb7582e4a9a479833ecbc102c36a5786ef1e459b8eec944beb8cdf51c763078a2923f3

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

185.157.160.215:2211

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1384-67-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1384-68-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/1384-70-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

PDF.exe

description pid process target process

PID 1860 set thread context of 1384 1860 PDF.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1688 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

PDF.exe

pid process

1860 PDF.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PDF.exe

description pid process

Token: SeDebugPrivilege 1860 PDF.exe

description	pid	process	target process
PID 1860 set thread context of 1384	1860	PDF.exe	vbc.exe

pid	process
1688	schtasks.exe

pid	process
1860	PDF.exe

description	pid	process
Token: SeDebugPrivilege	1860	PDF.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

PDF.exe

description	pid	process	target process
PID 1860 wrote to memory of 1688	1860	PDF.exe	schtasks.exe
PID 1860 wrote to memory of 1688	1860	PDF.exe	schtasks.exe
PID 1860 wrote to memory of 1688	1860	PDF.exe	schtasks.exe
PID 1860 wrote to memory of 1688	1860	PDF.exe	schtasks.exe
PID 1860 wrote to memory of 1384	1860	PDF.exe	vbc.exe
PID 1860 wrote to memory of 1384	1860	PDF.exe	vbc.exe
PID 1860 wrote to memory of 1384	1860	PDF.exe	vbc.exe
PID 1860 wrote to memory of 1384	1860	PDF.exe	vbc.exe
PID 1860 wrote to memory of 1384	1860	PDF.exe	vbc.exe
PID 1860 wrote to memory of 1384	1860	PDF.exe	vbc.exe
PID 1860 wrote to memory of 1384	1860	PDF.exe	vbc.exe
PID 1860 wrote to memory of 1384	1860	PDF.exe	vbc.exe
PID 1860 wrote to memory of 1384	1860	PDF.exe	vbc.exe
PID 1860 wrote to memory of 1384	1860	PDF.exe	vbc.exe
PID 1860 wrote to memory of 1384	1860	PDF.exe	vbc.exe
PID 1860 wrote to memory of 1384	1860	PDF.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\PDF.exe
"C:\Users\Admin\AppData\Local\Temp\PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GrxeqzFZZljX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp452B.tmp"
2⤵
- Creates scheduled task(s)
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp452B.tmp

MD5
4d4775bb67016511d58e31e271dc5f25

SHA1
2ece62cfb7e36dc39cd52e1c560c37de9d70415d

SHA256
827c8a19353cc25d1a1c2faa815e796e384f49a79a63079ef6873c0fba2fa78e

SHA512
29a5c5d2c3849ee0b43aa6fd432cc776ec7d17ab98cb2ee49677feffbd7f8773492b9573ac993dcbb17efc0adc008277f58665d07a220144c24298c93c2aa88b

Download Submit
memory/1384-67-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1384-68-0x0000000000405CE2-mapping.dmp

Download
memory/1384-69-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download
memory/1384-70-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1688-65-0x0000000000000000-mapping.dmp

Download
memory/1860-59-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/1860-61-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1860-62-0x0000000009E90000-0x000000000BE8F000-memory.dmp

Filesize
32.0MB

Download
memory/1860-63-0x000000000BE90000-0x000000000BEF7000-memory.dmp

Filesize
412KB

Download
memory/1860-64-0x00000000005C0000-0x00000000005EC000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads