warzonerat | 6ecbffba7ebc7a31d27bcbd81a37468d881f34af3a84ca2ca7eacae5b56f23bd

General

Target

ac5f0a5529dddc9aa2b0e2d515a048d3.exe
Size

819KB
MD5

ac5f0a5529dddc9aa2b0e2d515a048d3
SHA1

fc635c251279497b8f9c044ce0913b9329db1f36
SHA256

6ecbffba7ebc7a31d27bcbd81a37468d881f34af3a84ca2ca7eacae5b56f23bd
SHA512

04dc560fd3f776ccc0ed3ce472632ce076d1d0237fe56bca57e7322f51ea96e1ae474bb55c548dd02c1abe65da7af9886a3818dd73eaa0d0e14bb43fce408579

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

79.134.225.39:1990

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4672-119-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/4672-120-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/4672-121-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/4800-133-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/4800-135-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

windows explorer.exewindows explorer.exe

pid process

4700 windows explorer.exe
4800 windows explorer.exe

pid	process
4700	windows explorer.exe
4800	windows explorer.exe

Drops startup file 2 IoCs

Processes:

ac5f0a5529dddc9aa2b0e2d515a048d3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	ac5f0a5529dddc9aa2b0e2d515a048d3.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	ac5f0a5529dddc9aa2b0e2d515a048d3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ac5f0a5529dddc9aa2b0e2d515a048d3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windows explorer = "C:\\ProgramData\\windows explorer.exe"	ac5f0a5529dddc9aa2b0e2d515a048d3.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ac5f0a5529dddc9aa2b0e2d515a048d3.exewindows explorer.exe

description	pid	process	target process
PID 4560 set thread context of 4672	4560	ac5f0a5529dddc9aa2b0e2d515a048d3.exe	ac5f0a5529dddc9aa2b0e2d515a048d3.exe
PID 4700 set thread context of 4800	4700	windows explorer.exe	windows explorer.exe

NTFS ADS 1 IoCs

Processes:

ac5f0a5529dddc9aa2b0e2d515a048d3.exe

description ioc process

File created C:\ProgramData:ApplicationData ac5f0a5529dddc9aa2b0e2d515a048d3.exe

description	ioc	process
File created	C:\ProgramData:ApplicationData	ac5f0a5529dddc9aa2b0e2d515a048d3.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

ac5f0a5529dddc9aa2b0e2d515a048d3.exeac5f0a5529dddc9aa2b0e2d515a048d3.exewindows explorer.exewindows explorer.exe

description	pid	process	target process
PID 4560 wrote to memory of 4672	4560	ac5f0a5529dddc9aa2b0e2d515a048d3.exe	ac5f0a5529dddc9aa2b0e2d515a048d3.exe
PID 4560 wrote to memory of 4672	4560	ac5f0a5529dddc9aa2b0e2d515a048d3.exe	ac5f0a5529dddc9aa2b0e2d515a048d3.exe
PID 4560 wrote to memory of 4672	4560	ac5f0a5529dddc9aa2b0e2d515a048d3.exe	ac5f0a5529dddc9aa2b0e2d515a048d3.exe
PID 4560 wrote to memory of 4672	4560	ac5f0a5529dddc9aa2b0e2d515a048d3.exe	ac5f0a5529dddc9aa2b0e2d515a048d3.exe
PID 4560 wrote to memory of 4672	4560	ac5f0a5529dddc9aa2b0e2d515a048d3.exe	ac5f0a5529dddc9aa2b0e2d515a048d3.exe
PID 4672 wrote to memory of 4700	4672	ac5f0a5529dddc9aa2b0e2d515a048d3.exe	windows explorer.exe
PID 4672 wrote to memory of 4700	4672	ac5f0a5529dddc9aa2b0e2d515a048d3.exe	windows explorer.exe
PID 4672 wrote to memory of 4700	4672	ac5f0a5529dddc9aa2b0e2d515a048d3.exe	windows explorer.exe
PID 4700 wrote to memory of 4800	4700	windows explorer.exe	windows explorer.exe
PID 4700 wrote to memory of 4800	4700	windows explorer.exe	windows explorer.exe
PID 4700 wrote to memory of 4800	4700	windows explorer.exe	windows explorer.exe
PID 4700 wrote to memory of 4800	4700	windows explorer.exe	windows explorer.exe
PID 4700 wrote to memory of 4800	4700	windows explorer.exe	windows explorer.exe
PID 4800 wrote to memory of 4832	4800	windows explorer.exe	cmd.exe
PID 4800 wrote to memory of 4832	4800	windows explorer.exe	cmd.exe
PID 4800 wrote to memory of 4832	4800	windows explorer.exe	cmd.exe
PID 4800 wrote to memory of 4832	4800	windows explorer.exe	cmd.exe
PID 4800 wrote to memory of 4832	4800	windows explorer.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ac5f0a5529dddc9aa2b0e2d515a048d3.exe
"C:\Users\Admin\AppData\Local\Temp\ac5f0a5529dddc9aa2b0e2d515a048d3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4560

C:\Users\Admin\AppData\Local\Temp\ac5f0a5529dddc9aa2b0e2d515a048d3.exe
C:\Users\Admin\AppData\Local\Temp\ac5f0a5529dddc9aa2b0e2d515a048d3.exe
2⤵
- Drops startup file
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4672

C:\ProgramData\windows explorer.exe
"C:\ProgramData\windows explorer.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4700

C:\ProgramData\windows explorer.exe
"C:\ProgramData\windows explorer.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:4832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\windows explorer.exe
MD5
ac5f0a5529dddc9aa2b0e2d515a048d3

SHA1
fc635c251279497b8f9c044ce0913b9329db1f36

SHA256
6ecbffba7ebc7a31d27bcbd81a37468d881f34af3a84ca2ca7eacae5b56f23bd

SHA512
04dc560fd3f776ccc0ed3ce472632ce076d1d0237fe56bca57e7322f51ea96e1ae474bb55c548dd02c1abe65da7af9886a3818dd73eaa0d0e14bb43fce408579

Download Submit
C:\ProgramData\windows explorer.exe
MD5
ac5f0a5529dddc9aa2b0e2d515a048d3

SHA1
fc635c251279497b8f9c044ce0913b9329db1f36

SHA256
6ecbffba7ebc7a31d27bcbd81a37468d881f34af3a84ca2ca7eacae5b56f23bd

SHA512
04dc560fd3f776ccc0ed3ce472632ce076d1d0237fe56bca57e7322f51ea96e1ae474bb55c548dd02c1abe65da7af9886a3818dd73eaa0d0e14bb43fce408579

Download Submit
C:\ProgramData\windows explorer.exe
MD5
ac5f0a5529dddc9aa2b0e2d515a048d3

SHA1
fc635c251279497b8f9c044ce0913b9329db1f36

SHA256
6ecbffba7ebc7a31d27bcbd81a37468d881f34af3a84ca2ca7eacae5b56f23bd

SHA512
04dc560fd3f776ccc0ed3ce472632ce076d1d0237fe56bca57e7322f51ea96e1ae474bb55c548dd02c1abe65da7af9886a3818dd73eaa0d0e14bb43fce408579

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F
MD5
0b386e545ea55999453373429254b069

SHA1
aabe11fc24dab5b97e42c56e5664af229f91550a

SHA256
fe808d810397a0a06b233a06bcecdb5abb699eb2b54d349c1485d7afd7b802d6

SHA512
c7a531d2ac070677180c1b07416cc37836adc8bf4f9030c94f7e71f484c48ea57ce8fdc584266e946d61706177b5232beec2a35d3088637f7a2544eec6890209

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F
MD5
61b5d6964179aa4895ac1bcb1551b9cc

SHA1
166c5d311649b3ce0d3622ab734492d35d295c7f

SHA256
7cb5a7d566f5e87c6a510f96a028690696088e8ce1dfcf157e799386a754e740

SHA512
4beccd50d97610e485d80181ecd3dca4e8b626b287798a3f5279f11105605d5d90efaeca7e814f6d87d97b1c01825cd32f223c6904f396f75974c77ef9132902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EJ6JSH0Q\Kiadqkjagycberfiuzqcfghmimdpktc[1]
MD5
f3e730084f2075466dccef7066eff905

SHA1
99e7b5a7b6c6a9a9b934ef18f11a94a156238f9b

SHA256
21714dea690726cc4e42c99e2dff2d3a149bc7c350e8f5f4a2689c0b3bf46d9c

SHA512
d0a1f4cdf70a84c1652862511e8a7ffc47f796ab2aa41fb1116f29031a54935d78d6c84d50f05a26eabb6815e47decda013a9e71dbf3a4953120b3dcf76a0866

Download Submit
memory/4560-115-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4672-121-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4672-120-0x0000000000405CE2-mapping.dmp

Download
memory/4672-119-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4700-122-0x0000000000000000-mapping.dmp

Download
memory/4700-125-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/4800-133-0x0000000000405CE2-mapping.dmp

Download
memory/4800-135-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4832-136-0x0000000000000000-mapping.dmp

Download
memory/4832-137-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads