warzonerat | 8ec53980cf686b472cfce52d0dc99a86ec328f2c596714b7c0468d957248ff36

General

Target

3b377d022762ca91179f7f9ccd69d567.exe
Size

819KB
MD5

3b377d022762ca91179f7f9ccd69d567
SHA1

f6a8d47a3379bd0ac2cd96782ba3f7040045d5d9
SHA256

8ec53980cf686b472cfce52d0dc99a86ec328f2c596714b7c0468d957248ff36
SHA512

ac9210b72f873f2974304acea681c80d4ea24f4752f2376a1f5c6a9f9aed91264c97af31e5370a4efb8dcd5e4f8b96c601c6f972af4e8a851a77c68c3cfe9923

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

engkaa.ddns.net:4545

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/916-66-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/916-65-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/916-68-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

824 cmd.exe

pid	process
824	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3b377d022762ca91179f7f9ccd69d567.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cymkfzk = "C:\\Users\\Public\\Libraries\\kzfkmyC.url"	3b377d022762ca91179f7f9ccd69d567.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3b377d022762ca91179f7f9ccd69d567.exe

description pid process target process

PID 1640 set thread context of 916 1640 3b377d022762ca91179f7f9ccd69d567.exe 3b377d022762ca91179f7f9ccd69d567.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2016 PING.EXE

description	pid	process	target process
PID 1640 set thread context of 916	1640	3b377d022762ca91179f7f9ccd69d567.exe	3b377d022762ca91179f7f9ccd69d567.exe

pid	process
2016	PING.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

3b377d022762ca91179f7f9ccd69d567.exe3b377d022762ca91179f7f9ccd69d567.execmd.exe

description	pid	process	target process
PID 1640 wrote to memory of 916	1640	3b377d022762ca91179f7f9ccd69d567.exe	3b377d022762ca91179f7f9ccd69d567.exe
PID 1640 wrote to memory of 916	1640	3b377d022762ca91179f7f9ccd69d567.exe	3b377d022762ca91179f7f9ccd69d567.exe
PID 1640 wrote to memory of 916	1640	3b377d022762ca91179f7f9ccd69d567.exe	3b377d022762ca91179f7f9ccd69d567.exe
PID 1640 wrote to memory of 916	1640	3b377d022762ca91179f7f9ccd69d567.exe	3b377d022762ca91179f7f9ccd69d567.exe
PID 1640 wrote to memory of 916	1640	3b377d022762ca91179f7f9ccd69d567.exe	3b377d022762ca91179f7f9ccd69d567.exe
PID 1640 wrote to memory of 916	1640	3b377d022762ca91179f7f9ccd69d567.exe	3b377d022762ca91179f7f9ccd69d567.exe
PID 916 wrote to memory of 824	916	3b377d022762ca91179f7f9ccd69d567.exe	cmd.exe
PID 916 wrote to memory of 824	916	3b377d022762ca91179f7f9ccd69d567.exe	cmd.exe
PID 916 wrote to memory of 824	916	3b377d022762ca91179f7f9ccd69d567.exe	cmd.exe
PID 916 wrote to memory of 824	916	3b377d022762ca91179f7f9ccd69d567.exe	cmd.exe
PID 824 wrote to memory of 2016	824	cmd.exe	PING.EXE
PID 824 wrote to memory of 2016	824	cmd.exe	PING.EXE
PID 824 wrote to memory of 2016	824	cmd.exe	PING.EXE
PID 824 wrote to memory of 2016	824	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\3b377d022762ca91179f7f9ccd69d567.exe
"C:\Users\Admin\AppData\Local\Temp\3b377d022762ca91179f7f9ccd69d567.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\3b377d022762ca91179f7f9ccd69d567.exe
C:\Users\Admin\AppData\Local\Temp\3b377d022762ca91179f7f9ccd69d567.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\3b377d022762ca91179f7f9ccd69d567.exe"
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\PING.EXE
ping 1.2.3.4 -n 2 -w 1000
4⤵
- Runs ping.exe
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/824-70-0x0000000000000000-mapping.dmp

Download
memory/916-66-0x0000000000405CE2-mapping.dmp

Download
memory/916-65-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/916-68-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/916-69-0x00000000037A0000-0x0000000003824000-memory.dmp

Filesize
528KB

Download
memory/1640-60-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1640-64-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/2016-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads