warzonerat | 90490e4bfcae318d0ee15e9d10bd23838dc0e7f9c16e4872bf58aad4b16fde88

General

Target

DLLclnbldwrz189r.exe
Size

509KB
MD5

ea66109d778e103e3ce06ee6b389367a
SHA1

14cda06a0640840671fe9fd8e8273246f0db9e1a
SHA256

78f124b7a00d29a4573c261f1ef8be979ce46c347371365ba820ba5750422f88
SHA512

84fd40a1c538aefcf4a703df4c64b943b38b34f9a26cb35c247f5be59a55f5f8d31c216f81ffa79cb7611fde790a7b8bf62fe20ce50633df41ac2b96b9d99155

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

officedesktop004018.webredirect.org:5500

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/368-67-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DLLclnbldwrz189r.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\DLLclnbldwrz189r = "C:\\Users\\Admin\\AppData\\Roaming\\DLLclnbldwrz189r.exe"	DLLclnbldwrz189r.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

DLLclnbldwrz189r.exe

description pid process target process

PID 1668 set thread context of 368 1668 DLLclnbldwrz189r.exe RegAsm.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

DLLclnbldwrz189r.exe

pid process

1668 DLLclnbldwrz189r.exe
1668 DLLclnbldwrz189r.exe

description	pid	process	target process
PID 1668 set thread context of 368	1668	DLLclnbldwrz189r.exe	RegAsm.exe

pid	process
1668	DLLclnbldwrz189r.exe
1668	DLLclnbldwrz189r.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

DLLclnbldwrz189r.exe

description	pid	process	target process
PID 1668 wrote to memory of 1688	1668	DLLclnbldwrz189r.exe	RegAsm.exe
PID 1668 wrote to memory of 1688	1668	DLLclnbldwrz189r.exe	RegAsm.exe
PID 1668 wrote to memory of 1688	1668	DLLclnbldwrz189r.exe	RegAsm.exe
PID 1668 wrote to memory of 1688	1668	DLLclnbldwrz189r.exe	RegAsm.exe
PID 1668 wrote to memory of 1688	1668	DLLclnbldwrz189r.exe	RegAsm.exe
PID 1668 wrote to memory of 1688	1668	DLLclnbldwrz189r.exe	RegAsm.exe
PID 1668 wrote to memory of 1688	1668	DLLclnbldwrz189r.exe	RegAsm.exe
PID 1668 wrote to memory of 368	1668	DLLclnbldwrz189r.exe	RegAsm.exe
PID 1668 wrote to memory of 368	1668	DLLclnbldwrz189r.exe	RegAsm.exe
PID 1668 wrote to memory of 368	1668	DLLclnbldwrz189r.exe	RegAsm.exe
PID 1668 wrote to memory of 368	1668	DLLclnbldwrz189r.exe	RegAsm.exe
PID 1668 wrote to memory of 368	1668	DLLclnbldwrz189r.exe	RegAsm.exe
PID 1668 wrote to memory of 368	1668	DLLclnbldwrz189r.exe	RegAsm.exe
PID 1668 wrote to memory of 368	1668	DLLclnbldwrz189r.exe	RegAsm.exe
PID 1668 wrote to memory of 368	1668	DLLclnbldwrz189r.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\DLLclnbldwrz189r.exe
"C:\Users\Admin\AppData\Local\Temp\DLLclnbldwrz189r.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/368-64-0x0000000000405CE2-mapping.dmp

Download
memory/368-65-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/368-67-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1668-59-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/1668-61-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/1668-62-0x0000000000DA0000-0x0000000000DC4000-memory.dmp

Filesize
144KB

Download
memory/1668-66-0x00000000003F0000-0x00000000003F3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads