warzonerat | eb9cc50ca63d4dce9240a7b0addffe5949ece11aa8aafac07b2c7072243023e3

General

Target

OQ_PO_4500148488_Rev1.exe
Size

259KB
MD5

5434606b4299d30ef9ba8d4ddafe3e77
SHA1

3bd6309a6ef81b54accdc5cc3de3d07b9d677ef3
SHA256

322f8919feb65490f33815c92b90a96ccffd0a050d0ae491c360c498f3d2612b
SHA512

aef8f2f571d5ca3759a402b7410abf6a33c62736db12261c73dd4ccb045ab22217688296663e37155eaafa876e60ec7ba7faf9dda91e77f25e1a19074b483c7e

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

blacice24.hopto.org:5032

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1220-63-0x0000000000455CE2-mapping.dmp	warzonerat
behavioral1/memory/1220-68-0x0000000000450000-0x00000000005A4000-memory.dmp	warzonerat

Loads dropped DLL 1 IoCs

Processes:

OQ_PO_4500148488_Rev1.exe

pid process

2020 OQ_PO_4500148488_Rev1.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

OQ_PO_4500148488_Rev1.exe

description pid process target process

PID 2020 set thread context of 1220 2020 OQ_PO_4500148488_Rev1.exe OQ_PO_4500148488_Rev1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1956 1220 WerFault.exe OQ_PO_4500148488_Rev1.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1956 WerFault.exe
1956 WerFault.exe
1956 WerFault.exe
1956 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1956 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1956 WerFault.exe

pid	process
2020	OQ_PO_4500148488_Rev1.exe

description	pid	process	target process
PID 2020 set thread context of 1220	2020	OQ_PO_4500148488_Rev1.exe	OQ_PO_4500148488_Rev1.exe

pid	pid_target	process	target process
1956	1220	WerFault.exe	OQ_PO_4500148488_Rev1.exe

pid	process
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe

pid	process
1956	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1956	WerFault.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

OQ_PO_4500148488_Rev1.exeOQ_PO_4500148488_Rev1.exe

description	pid	process	target process
PID 2020 wrote to memory of 1220	2020	OQ_PO_4500148488_Rev1.exe	OQ_PO_4500148488_Rev1.exe
PID 2020 wrote to memory of 1220	2020	OQ_PO_4500148488_Rev1.exe	OQ_PO_4500148488_Rev1.exe
PID 2020 wrote to memory of 1220	2020	OQ_PO_4500148488_Rev1.exe	OQ_PO_4500148488_Rev1.exe
PID 2020 wrote to memory of 1220	2020	OQ_PO_4500148488_Rev1.exe	OQ_PO_4500148488_Rev1.exe
PID 2020 wrote to memory of 1220	2020	OQ_PO_4500148488_Rev1.exe	OQ_PO_4500148488_Rev1.exe
PID 2020 wrote to memory of 1220	2020	OQ_PO_4500148488_Rev1.exe	OQ_PO_4500148488_Rev1.exe
PID 2020 wrote to memory of 1220	2020	OQ_PO_4500148488_Rev1.exe	OQ_PO_4500148488_Rev1.exe
PID 2020 wrote to memory of 1220	2020	OQ_PO_4500148488_Rev1.exe	OQ_PO_4500148488_Rev1.exe
PID 2020 wrote to memory of 1220	2020	OQ_PO_4500148488_Rev1.exe	OQ_PO_4500148488_Rev1.exe
PID 2020 wrote to memory of 1220	2020	OQ_PO_4500148488_Rev1.exe	OQ_PO_4500148488_Rev1.exe
PID 2020 wrote to memory of 1220	2020	OQ_PO_4500148488_Rev1.exe	OQ_PO_4500148488_Rev1.exe
PID 2020 wrote to memory of 1220	2020	OQ_PO_4500148488_Rev1.exe	OQ_PO_4500148488_Rev1.exe
PID 1220 wrote to memory of 1956	1220	OQ_PO_4500148488_Rev1.exe	WerFault.exe
PID 1220 wrote to memory of 1956	1220	OQ_PO_4500148488_Rev1.exe	WerFault.exe
PID 1220 wrote to memory of 1956	1220	OQ_PO_4500148488_Rev1.exe	WerFault.exe
PID 1220 wrote to memory of 1956	1220	OQ_PO_4500148488_Rev1.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\OQ_PO_4500148488_Rev1.exe
"C:\Users\Admin\AppData\Local\Temp\OQ_PO_4500148488_Rev1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\OQ_PO_4500148488_Rev1.exe
"C:\Users\Admin\AppData\Local\Temp\OQ_PO_4500148488_Rev1.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 200
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\diejc.dll

MD5
7c459eba4c5d0ff2d23d6024aa8baf2c

SHA1
f7473200d12d87f8bfcd0d5f234c50650f9c8a1e

SHA256
4f2c63127e057a907382d460939a032aa0afe718dc9aed9d08ea4f868c83ea5f

SHA512
e0f40e7170f541bd737c2d393d38bcc128980df082995175394075952496e46674b44890ef4e3b5d715dd72e1ffdd7964b0e1f594e1606fdeef56bd120f2a32c

Download Submit
memory/1220-63-0x0000000000455CE2-mapping.dmp

Download
memory/1220-68-0x0000000000450000-0x00000000005A4000-memory.dmp

Filesize
1.3MB

Download
memory/1956-71-0x0000000000000000-mapping.dmp

Download
memory/1956-72-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2020-60-0x0000000076A81000-0x0000000076A83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing