warzonerat | 4d787dca4719a668ec0cca721a93a2ae6b6135a2ddde4f75f2b8b790fb19cc3b

General

Target

QUOTATION-007222021.exe
Size

3.0MB
MD5

4b25ce6286e4db04124b13ad0227fd77
SHA1

53ce201bab5c1de3ab8ce4bf2a89eec54fa25a05
SHA256

4d787dca4719a668ec0cca721a93a2ae6b6135a2ddde4f75f2b8b790fb19cc3b
SHA512

d245418614f02e6aefc59e9fa24a82827a09bc0150e89b1ff21e89c4c75d75bf14527ec0b8720e5ecce80b5ab8b1651c14b15d0c7786c0c47d123e8c5cd0bdc3

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

194.5.97.145:9976

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3944-114-0x00000000029D0000-0x0000000002B24000-memory.dmp	warzonerat
behavioral2/memory/3944-119-0x0000000002D60000-0x0000000003860000-memory.dmp	warzonerat
behavioral2/memory/3024-123-0x0000000002AF0000-0x0000000002C44000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

3024 images.exe

pid	process
3024	images.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

QUOTATION-007222021.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	QUOTATION-007222021.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

QUOTATION-007222021.exeimages.exe

description	pid	process	target process
PID 3944 wrote to memory of 3024	3944	QUOTATION-007222021.exe	images.exe
PID 3944 wrote to memory of 3024	3944	QUOTATION-007222021.exe	images.exe
PID 3944 wrote to memory of 3024	3944	QUOTATION-007222021.exe	images.exe
PID 3024 wrote to memory of 3964	3024	images.exe	cmd.exe
PID 3024 wrote to memory of 3964	3024	images.exe	cmd.exe
PID 3024 wrote to memory of 3964	3024	images.exe	cmd.exe
PID 3024 wrote to memory of 3964	3024	images.exe	cmd.exe
PID 3024 wrote to memory of 3964	3024	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\QUOTATION-007222021.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION-007222021.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3944
- C:\ProgramData\images.exe
  "C:\ProgramData\images.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:3964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

MD5
4b25ce6286e4db04124b13ad0227fd77

SHA1
53ce201bab5c1de3ab8ce4bf2a89eec54fa25a05

SHA256
4d787dca4719a668ec0cca721a93a2ae6b6135a2ddde4f75f2b8b790fb19cc3b

SHA512
d245418614f02e6aefc59e9fa24a82827a09bc0150e89b1ff21e89c4c75d75bf14527ec0b8720e5ecce80b5ab8b1651c14b15d0c7786c0c47d123e8c5cd0bdc3

Download Submit
C:\ProgramData\images.exe

MD5
4b25ce6286e4db04124b13ad0227fd77

SHA1
53ce201bab5c1de3ab8ce4bf2a89eec54fa25a05

SHA256
4d787dca4719a668ec0cca721a93a2ae6b6135a2ddde4f75f2b8b790fb19cc3b

SHA512
d245418614f02e6aefc59e9fa24a82827a09bc0150e89b1ff21e89c4c75d75bf14527ec0b8720e5ecce80b5ab8b1651c14b15d0c7786c0c47d123e8c5cd0bdc3

Download Submit
memory/3024-120-0x0000000000000000-mapping.dmp

Download
memory/3024-123-0x0000000002AF0000-0x0000000002C44000-memory.dmp

Filesize
1.3MB

Download
memory/3944-114-0x00000000029D0000-0x0000000002B24000-memory.dmp

Filesize
1.3MB

Download
memory/3944-119-0x0000000002D60000-0x0000000003860000-memory.dmp

Filesize
11.0MB

Download
memory/3964-128-0x0000000000000000-mapping.dmp

Download
memory/3964-129-0x0000000002F90000-0x0000000002F91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads