warzonerat | a1831c0238db7a6a5ae73a0c3e9c8be6075b20a3c9e393fc2a54fe830a923951

Analysis

max time kernel
29s
max time network
37s
platform
windows7_x64
resource
win7-en-20211208
submitted
14-12-2021 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New-Order_2021-12-14_01-44.exe
Size

198KB
MD5

db2f1ed0345766e080940d66d31e6757
SHA1

31ec6cd22db735c0695fe64aac87e138d2f3978b
SHA256

a1831c0238db7a6a5ae73a0c3e9c8be6075b20a3c9e393fc2a54fe830a923951
SHA512

fbaade57cf8ff2c93a45f24654a756bb038600314d6e658f241e3359d7c5f3f869071d60f777421f9d8e9d7b8adf143c14900399134572209e5e731759635936

Score

10^/10

warzonerat collection infostealer rat spyware stealer

Malware Config

Extracted

Family

warzonerat

huhuhu.ooguy.com:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1608-55-0x0000000000220000-0x000000000023E000-memory.dmp	warzonerat
behavioral1/memory/1608-56-0x0000000000400000-0x0000000000824000-memory.dmp	warzonerat

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

New-Order_2021-12-14_01-44.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New-Order_2021-12-14_01-44.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New-Order_2021-12-14_01-44.exe

outlook_office_path 1 IoCs

Processes:

New-Order_2021-12-14_01-44.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New-Order_2021-12-14_01-44.exe

outlook_win_path 1 IoCs

Processes:

New-Order_2021-12-14_01-44.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New-Order_2021-12-14_01-44.exe

C:\Users\Admin\AppData\Local\Temp\New-Order_2021-12-14_01-44.exe
"C:\Users\Admin\AppData\Local\Temp\New-Order_2021-12-14_01-44.exe"
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1608-53-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download
memory/1608-55-0x0000000000220000-0x000000000023E000-memory.dmp

Filesize
120KB

Download
memory/1608-54-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/1608-56-0x0000000000400000-0x0000000000824000-memory.dmp

Filesize
4.1MB

Download
memory/1608-57-0x0000000003AF0000-0x0000000003B74000-memory.dmp

Filesize
528KB

Download