warzonerat | 4d787dca4719a668ec0cca721a93a2ae6b6135a2ddde4f75f2b8b790fb19cc3b

General

Target

QUOTATION-007222021.exe
Size

3.0MB
MD5

4b25ce6286e4db04124b13ad0227fd77
SHA1

53ce201bab5c1de3ab8ce4bf2a89eec54fa25a05
SHA256

4d787dca4719a668ec0cca721a93a2ae6b6135a2ddde4f75f2b8b790fb19cc3b
SHA512

d245418614f02e6aefc59e9fa24a82827a09bc0150e89b1ff21e89c4c75d75bf14527ec0b8720e5ecce80b5ab8b1651c14b15d0c7786c0c47d123e8c5cd0bdc3

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

194.5.97.145:9976

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1208-60-0x00000000009C0000-0x0000000000B14000-memory.dmp	warzonerat
behavioral1/memory/1208-65-0x00000000027C0000-0x00000000032C0000-memory.dmp	warzonerat
behavioral1/memory/1628-70-0x0000000002020000-0x0000000002174000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

1628 images.exe
Loads dropped DLL 1 IoCs

Processes:

QUOTATION-007222021.exe

pid process

1208 QUOTATION-007222021.exe

pid	process
1628	images.exe

pid	process
1208	QUOTATION-007222021.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

QUOTATION-007222021.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	QUOTATION-007222021.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

QUOTATION-007222021.exeimages.exe

description	pid	process	target process
PID 1208 wrote to memory of 1628	1208	QUOTATION-007222021.exe	images.exe
PID 1208 wrote to memory of 1628	1208	QUOTATION-007222021.exe	images.exe
PID 1208 wrote to memory of 1628	1208	QUOTATION-007222021.exe	images.exe
PID 1208 wrote to memory of 1628	1208	QUOTATION-007222021.exe	images.exe
PID 1628 wrote to memory of 960	1628	images.exe	cmd.exe
PID 1628 wrote to memory of 960	1628	images.exe	cmd.exe
PID 1628 wrote to memory of 960	1628	images.exe	cmd.exe
PID 1628 wrote to memory of 960	1628	images.exe	cmd.exe
PID 1628 wrote to memory of 960	1628	images.exe	cmd.exe
PID 1628 wrote to memory of 960	1628	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\QUOTATION-007222021.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION-007222021.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1208

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
MD5
4b25ce6286e4db04124b13ad0227fd77

SHA1
53ce201bab5c1de3ab8ce4bf2a89eec54fa25a05

SHA256
4d787dca4719a668ec0cca721a93a2ae6b6135a2ddde4f75f2b8b790fb19cc3b

SHA512
d245418614f02e6aefc59e9fa24a82827a09bc0150e89b1ff21e89c4c75d75bf14527ec0b8720e5ecce80b5ab8b1651c14b15d0c7786c0c47d123e8c5cd0bdc3

Download Submit
C:\ProgramData\images.exe
MD5
4b25ce6286e4db04124b13ad0227fd77

SHA1
53ce201bab5c1de3ab8ce4bf2a89eec54fa25a05

SHA256
4d787dca4719a668ec0cca721a93a2ae6b6135a2ddde4f75f2b8b790fb19cc3b

SHA512
d245418614f02e6aefc59e9fa24a82827a09bc0150e89b1ff21e89c4c75d75bf14527ec0b8720e5ecce80b5ab8b1651c14b15d0c7786c0c47d123e8c5cd0bdc3

Download Submit
\ProgramData\images.exe
MD5
4b25ce6286e4db04124b13ad0227fd77

SHA1
53ce201bab5c1de3ab8ce4bf2a89eec54fa25a05

SHA256
4d787dca4719a668ec0cca721a93a2ae6b6135a2ddde4f75f2b8b790fb19cc3b

SHA512
d245418614f02e6aefc59e9fa24a82827a09bc0150e89b1ff21e89c4c75d75bf14527ec0b8720e5ecce80b5ab8b1651c14b15d0c7786c0c47d123e8c5cd0bdc3

Download Submit
memory/960-76-0x0000000000000000-mapping.dmp

Download
memory/960-77-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1208-59-0x0000000076661000-0x0000000076663000-memory.dmp

Filesize
8KB

Download
memory/1208-60-0x00000000009C0000-0x0000000000B14000-memory.dmp

Filesize
1.3MB

Download
memory/1208-65-0x00000000027C0000-0x00000000032C0000-memory.dmp

Filesize
11.0MB

Download
memory/1628-67-0x0000000000000000-mapping.dmp

Download
memory/1628-70-0x0000000002020000-0x0000000002174000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads