warzonerat | 831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3

Analysis

max time kernel
149s
max time network
42s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
24-07-2022 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3.exe
Size

99KB
MD5

990a0c672b7c9b32833d8ecdd275cd81
SHA1

04d436143bfbe87f09dac7f6ecf9f6ebb68c5081
SHA256

831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3
SHA512

4a11ca8da42b0ecd3c12462d56a1f4f27dcb02e6bbc4c9b8e988528b2217ebd07dcb3cfe5c51966bff0ba9dc6e44277dd21758d09f09e33d076fb3294a8a28d1

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

office101.warzonedns.com:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/files/0x000b000000012335-55.dat	warzonerat
behavioral1/files/0x000b000000012335-56.dat	warzonerat
behavioral1/files/0x000b000000012335-58.dat	warzonerat

Executes dropped EXE 1 IoCs

pid	Process
1912	images.exe

Loads dropped DLL 2 IoCs

pid	Process
2036	831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3.exe
2036	831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1912	2036	831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3.exe	27
PID 2036 wrote to memory of 1912	2036	831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3.exe	27
PID 2036 wrote to memory of 1912	2036	831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3.exe	27
PID 2036 wrote to memory of 1912	2036	831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3.exe	27

C:\Users\Admin\AppData\Local\Temp\831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3.exe
"C:\Users\Admin\AppData\Local\Temp\831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2036
- C:\ProgramData\images.exe
  "C:\ProgramData\images.exe"
  2⤵
  - Executes dropped EXE
  PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

Filesize
99KB

MD5
990a0c672b7c9b32833d8ecdd275cd81

SHA1
04d436143bfbe87f09dac7f6ecf9f6ebb68c5081

SHA256
831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3

SHA512
4a11ca8da42b0ecd3c12462d56a1f4f27dcb02e6bbc4c9b8e988528b2217ebd07dcb3cfe5c51966bff0ba9dc6e44277dd21758d09f09e33d076fb3294a8a28d1

Download Submit
\ProgramData\images.exe

Filesize
99KB

MD5
990a0c672b7c9b32833d8ecdd275cd81

SHA1
04d436143bfbe87f09dac7f6ecf9f6ebb68c5081

SHA256
831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3

SHA512
4a11ca8da42b0ecd3c12462d56a1f4f27dcb02e6bbc4c9b8e988528b2217ebd07dcb3cfe5c51966bff0ba9dc6e44277dd21758d09f09e33d076fb3294a8a28d1

Download Submit
\ProgramData\images.exe

Filesize
99KB

MD5
990a0c672b7c9b32833d8ecdd275cd81

SHA1
04d436143bfbe87f09dac7f6ecf9f6ebb68c5081

SHA256
831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3

SHA512
4a11ca8da42b0ecd3c12462d56a1f4f27dcb02e6bbc4c9b8e988528b2217ebd07dcb3cfe5c51966bff0ba9dc6e44277dd21758d09f09e33d076fb3294a8a28d1

Download Submit
memory/2036-54-0x00000000754D1000-0x00000000754D3000-memory.dmp

Filesize
8KB

Download