warzonerat | 20b8d427a1603e1262b0c7d9a5119d0ea775cb69c690098ecd12a1037a443892

General

Target

KINDLY QUOTE COMPETITIVE PRICE.exe
Size

634KB
MD5

24cdb20f9b57a58becd8db704caaec1a
SHA1

1420f8d5e00c7294cc1ef249cd159852f574b96c
SHA256

20b8d427a1603e1262b0c7d9a5119d0ea775cb69c690098ecd12a1037a443892
SHA512

39f492af2fb5dc53820cb641263e41e1c1ab808cf0d9010748ea4aabf77798d9df381100d62e447bad4cbb861c623f8e06a3a24b442a3ab144144757f1edbf6f

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

dar123.hopto.org:5032

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1964-72-0x00000000005B0000-0x0000000000704000-memory.dmp	warzonerat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

KINDLY QUOTE COMPETITIVE PRICE.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ztntyju = "C:\\Users\\Public\\Libraries\\ujytntZ.url"	KINDLY QUOTE COMPETITIVE PRICE.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

KINDLY QUOTE COMPETITIVE PRICE.exe

description	pid	process	target process
PID 1084 wrote to memory of 1964	1084	KINDLY QUOTE COMPETITIVE PRICE.exe	mobsync.exe
PID 1084 wrote to memory of 1964	1084	KINDLY QUOTE COMPETITIVE PRICE.exe	mobsync.exe
PID 1084 wrote to memory of 1964	1084	KINDLY QUOTE COMPETITIVE PRICE.exe	mobsync.exe
PID 1084 wrote to memory of 1964	1084	KINDLY QUOTE COMPETITIVE PRICE.exe	mobsync.exe
PID 1084 wrote to memory of 1964	1084	KINDLY QUOTE COMPETITIVE PRICE.exe	mobsync.exe
PID 1084 wrote to memory of 1964	1084	KINDLY QUOTE COMPETITIVE PRICE.exe	mobsync.exe
PID 1084 wrote to memory of 1964	1084	KINDLY QUOTE COMPETITIVE PRICE.exe	mobsync.exe
PID 1084 wrote to memory of 1964	1084	KINDLY QUOTE COMPETITIVE PRICE.exe	mobsync.exe
PID 1084 wrote to memory of 1964	1084	KINDLY QUOTE COMPETITIVE PRICE.exe	mobsync.exe
PID 1084 wrote to memory of 1964	1084	KINDLY QUOTE COMPETITIVE PRICE.exe	mobsync.exe
PID 1084 wrote to memory of 1964	1084	KINDLY QUOTE COMPETITIVE PRICE.exe	mobsync.exe
PID 1084 wrote to memory of 1964	1084	KINDLY QUOTE COMPETITIVE PRICE.exe	mobsync.exe
PID 1084 wrote to memory of 1964	1084	KINDLY QUOTE COMPETITIVE PRICE.exe	mobsync.exe
PID 1084 wrote to memory of 1964	1084	KINDLY QUOTE COMPETITIVE PRICE.exe	mobsync.exe
PID 1084 wrote to memory of 1964	1084	KINDLY QUOTE COMPETITIVE PRICE.exe	mobsync.exe
PID 1084 wrote to memory of 1964	1084	KINDLY QUOTE COMPETITIVE PRICE.exe	mobsync.exe

C:\Users\Admin\AppData\Local\Temp\KINDLY QUOTE COMPETITIVE PRICE.exe
"C:\Users\Admin\AppData\Local\Temp\KINDLY QUOTE COMPETITIVE PRICE.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\mobsync.exe
C:\Windows\System32\mobsync.exe
2⤵
PID:1964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1084-61-0x00000000752F1000-0x00000000752F3000-memory.dmp

Filesize
8KB

Download
memory/1084-62-0x0000000000240000-0x000000000025A000-memory.dmp

Filesize
104KB

Download
memory/1084-65-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1964-66-0x0000000000000000-mapping.dmp

Download
memory/1964-69-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1964-68-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1964-70-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1964-71-0x0000000010670000-0x00000000107C6000-memory.dmp

Filesize
1.3MB

Download
memory/1964-72-0x00000000005B0000-0x0000000000704000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads