warzonerat | 6ecbffba7ebc7a31d27bcbd81a37468d881f34af3a84ca2ca7eacae5b56f23bd

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7v20210408
submitted
15-09-2021 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac5f0a5529dddc9aa2b0e2d515a048d3.exe
Size

819KB
MD5

ac5f0a5529dddc9aa2b0e2d515a048d3
SHA1

fc635c251279497b8f9c044ce0913b9329db1f36
SHA256

6ecbffba7ebc7a31d27bcbd81a37468d881f34af3a84ca2ca7eacae5b56f23bd
SHA512

04dc560fd3f776ccc0ed3ce472632ce076d1d0237fe56bca57e7322f51ea96e1ae474bb55c548dd02c1abe65da7af9886a3818dd73eaa0d0e14bb43fce408579

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

79.134.225.39:1990

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1292-65-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1292-66-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/1292-68-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/792-84-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/792-87-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

windows explorer.exewindows explorer.exe

pid process

1580 windows explorer.exe
792 windows explorer.exe

pid	process
1580	windows explorer.exe
792	windows explorer.exe

Drops startup file 2 IoCs

Processes:

ac5f0a5529dddc9aa2b0e2d515a048d3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	ac5f0a5529dddc9aa2b0e2d515a048d3.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	ac5f0a5529dddc9aa2b0e2d515a048d3.exe

Loads dropped DLL 2 IoCs

Processes:

ac5f0a5529dddc9aa2b0e2d515a048d3.exe

pid process

1292 ac5f0a5529dddc9aa2b0e2d515a048d3.exe
1292 ac5f0a5529dddc9aa2b0e2d515a048d3.exe

pid	process
1292	ac5f0a5529dddc9aa2b0e2d515a048d3.exe
1292	ac5f0a5529dddc9aa2b0e2d515a048d3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ac5f0a5529dddc9aa2b0e2d515a048d3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windows explorer = "C:\\ProgramData\\windows explorer.exe"	ac5f0a5529dddc9aa2b0e2d515a048d3.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ac5f0a5529dddc9aa2b0e2d515a048d3.exewindows explorer.exe

description	pid	process	target process
PID 1028 set thread context of 1292	1028	ac5f0a5529dddc9aa2b0e2d515a048d3.exe	ac5f0a5529dddc9aa2b0e2d515a048d3.exe
PID 1580 set thread context of 792	1580	windows explorer.exe	windows explorer.exe

NTFS ADS 1 IoCs

Processes:

ac5f0a5529dddc9aa2b0e2d515a048d3.exe

description ioc process

File created C:\ProgramData:ApplicationData ac5f0a5529dddc9aa2b0e2d515a048d3.exe

description	ioc	process
File created	C:\ProgramData:ApplicationData	ac5f0a5529dddc9aa2b0e2d515a048d3.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

ac5f0a5529dddc9aa2b0e2d515a048d3.exeac5f0a5529dddc9aa2b0e2d515a048d3.exewindows explorer.exewindows explorer.exe

description	pid	process	target process
PID 1028 wrote to memory of 1292	1028	ac5f0a5529dddc9aa2b0e2d515a048d3.exe	ac5f0a5529dddc9aa2b0e2d515a048d3.exe
PID 1028 wrote to memory of 1292	1028	ac5f0a5529dddc9aa2b0e2d515a048d3.exe	ac5f0a5529dddc9aa2b0e2d515a048d3.exe
PID 1028 wrote to memory of 1292	1028	ac5f0a5529dddc9aa2b0e2d515a048d3.exe	ac5f0a5529dddc9aa2b0e2d515a048d3.exe
PID 1028 wrote to memory of 1292	1028	ac5f0a5529dddc9aa2b0e2d515a048d3.exe	ac5f0a5529dddc9aa2b0e2d515a048d3.exe
PID 1028 wrote to memory of 1292	1028	ac5f0a5529dddc9aa2b0e2d515a048d3.exe	ac5f0a5529dddc9aa2b0e2d515a048d3.exe
PID 1028 wrote to memory of 1292	1028	ac5f0a5529dddc9aa2b0e2d515a048d3.exe	ac5f0a5529dddc9aa2b0e2d515a048d3.exe
PID 1292 wrote to memory of 1580	1292	ac5f0a5529dddc9aa2b0e2d515a048d3.exe	windows explorer.exe
PID 1292 wrote to memory of 1580	1292	ac5f0a5529dddc9aa2b0e2d515a048d3.exe	windows explorer.exe
PID 1292 wrote to memory of 1580	1292	ac5f0a5529dddc9aa2b0e2d515a048d3.exe	windows explorer.exe
PID 1292 wrote to memory of 1580	1292	ac5f0a5529dddc9aa2b0e2d515a048d3.exe	windows explorer.exe
PID 1580 wrote to memory of 792	1580	windows explorer.exe	windows explorer.exe
PID 1580 wrote to memory of 792	1580	windows explorer.exe	windows explorer.exe
PID 1580 wrote to memory of 792	1580	windows explorer.exe	windows explorer.exe
PID 1580 wrote to memory of 792	1580	windows explorer.exe	windows explorer.exe
PID 1580 wrote to memory of 792	1580	windows explorer.exe	windows explorer.exe
PID 1580 wrote to memory of 792	1580	windows explorer.exe	windows explorer.exe
PID 792 wrote to memory of 1600	792	windows explorer.exe	cmd.exe
PID 792 wrote to memory of 1600	792	windows explorer.exe	cmd.exe
PID 792 wrote to memory of 1600	792	windows explorer.exe	cmd.exe
PID 792 wrote to memory of 1600	792	windows explorer.exe	cmd.exe
PID 792 wrote to memory of 1600	792	windows explorer.exe	cmd.exe
PID 792 wrote to memory of 1600	792	windows explorer.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ac5f0a5529dddc9aa2b0e2d515a048d3.exe
"C:\Users\Admin\AppData\Local\Temp\ac5f0a5529dddc9aa2b0e2d515a048d3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\Local\Temp\ac5f0a5529dddc9aa2b0e2d515a048d3.exe
C:\Users\Admin\AppData\Local\Temp\ac5f0a5529dddc9aa2b0e2d515a048d3.exe
2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1292

C:\ProgramData\windows explorer.exe
"C:\ProgramData\windows explorer.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1580

C:\ProgramData\windows explorer.exe
"C:\ProgramData\windows explorer.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\windows explorer.exe
MD5
ac5f0a5529dddc9aa2b0e2d515a048d3

SHA1
fc635c251279497b8f9c044ce0913b9329db1f36

SHA256
6ecbffba7ebc7a31d27bcbd81a37468d881f34af3a84ca2ca7eacae5b56f23bd

SHA512
04dc560fd3f776ccc0ed3ce472632ce076d1d0237fe56bca57e7322f51ea96e1ae474bb55c548dd02c1abe65da7af9886a3818dd73eaa0d0e14bb43fce408579

Download Submit
C:\ProgramData\windows explorer.exe
MD5
ac5f0a5529dddc9aa2b0e2d515a048d3

SHA1
fc635c251279497b8f9c044ce0913b9329db1f36

SHA256
6ecbffba7ebc7a31d27bcbd81a37468d881f34af3a84ca2ca7eacae5b56f23bd

SHA512
04dc560fd3f776ccc0ed3ce472632ce076d1d0237fe56bca57e7322f51ea96e1ae474bb55c548dd02c1abe65da7af9886a3818dd73eaa0d0e14bb43fce408579

Download Submit
C:\ProgramData\windows explorer.exe
MD5
ac5f0a5529dddc9aa2b0e2d515a048d3

SHA1
fc635c251279497b8f9c044ce0913b9329db1f36

SHA256
6ecbffba7ebc7a31d27bcbd81a37468d881f34af3a84ca2ca7eacae5b56f23bd

SHA512
04dc560fd3f776ccc0ed3ce472632ce076d1d0237fe56bca57e7322f51ea96e1ae474bb55c548dd02c1abe65da7af9886a3818dd73eaa0d0e14bb43fce408579

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
bbfeb1008ac3cd7f90857087ba5ceedb

SHA1
e1892def882ccfb7db56370343dac20190994dbe

SHA256
3cdc9f627e492bc7912f23ef52d8699100a8a3ac3332148e188ff7f2184e6229

SHA512
eb5623e6d55d041d530919b8529de2980d97422b8478515abd88daf49d50fde2cef53b376bd53361d057cf2e90146dddfd380415e3668f0a0534dc56f84860a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
78d113ee4f00d5c4b95400049425c181

SHA1
f09ca6cf32fb010ba7689bfeafe0be7ea088863d

SHA256
80a61f4edba1a0971e1e714ea510280ce00712525195451dacd11ee3699ca611

SHA512
8548261e67f27ec379be37e3b6317103699a24c9c23d13424abc8785cbe9e4377c7119aab3cf6e857a82f2ba18e1a1bc1479136e20412ca7dcb1dac030ce560e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
0edccee3e64c22f0e0facd7cb1adac32

SHA1
3790faa3abc9f1f4417bc3175c14941616b87e77

SHA256
8b5633ddb00d4a54fcf03fd89ae327d4c402624ba5f50ea3be9fd527630862b2

SHA512
f55494ed9c673f8b4ca708b48d28e445f73aa991e8840a2b070d6077a0165d0d6cd96e6d44dbf6dc3249a378de140815d67dc4ee359c6397bf7d77af76b9aa20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D4X32ZLU\Kiadqkjagycberfiuzqcfghmimdpktc[1]
MD5
f3e730084f2075466dccef7066eff905

SHA1
99e7b5a7b6c6a9a9b934ef18f11a94a156238f9b

SHA256
21714dea690726cc4e42c99e2dff2d3a149bc7c350e8f5f4a2689c0b3bf46d9c

SHA512
d0a1f4cdf70a84c1652862511e8a7ffc47f796ab2aa41fb1116f29031a54935d78d6c84d50f05a26eabb6815e47decda013a9e71dbf3a4953120b3dcf76a0866

Download Submit
\ProgramData\windows explorer.exe
MD5
ac5f0a5529dddc9aa2b0e2d515a048d3

SHA1
fc635c251279497b8f9c044ce0913b9329db1f36

SHA256
6ecbffba7ebc7a31d27bcbd81a37468d881f34af3a84ca2ca7eacae5b56f23bd

SHA512
04dc560fd3f776ccc0ed3ce472632ce076d1d0237fe56bca57e7322f51ea96e1ae474bb55c548dd02c1abe65da7af9886a3818dd73eaa0d0e14bb43fce408579

Download Submit
\ProgramData\windows explorer.exe
MD5
ac5f0a5529dddc9aa2b0e2d515a048d3

SHA1
fc635c251279497b8f9c044ce0913b9329db1f36

SHA256
6ecbffba7ebc7a31d27bcbd81a37468d881f34af3a84ca2ca7eacae5b56f23bd

SHA512
04dc560fd3f776ccc0ed3ce472632ce076d1d0237fe56bca57e7322f51ea96e1ae474bb55c548dd02c1abe65da7af9886a3818dd73eaa0d0e14bb43fce408579

Download Submit
memory/792-84-0x0000000000405CE2-mapping.dmp

Download
memory/792-87-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1028-60-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1028-64-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1292-68-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1292-66-0x0000000000405CE2-mapping.dmp

Download
memory/1292-65-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1580-71-0x0000000000000000-mapping.dmp

Download
memory/1580-73-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1600-88-0x0000000000000000-mapping.dmp

Download
memory/1600-89-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download