warzonerat | 831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2022 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3.exe
Size

99KB
MD5

990a0c672b7c9b32833d8ecdd275cd81
SHA1

04d436143bfbe87f09dac7f6ecf9f6ebb68c5081
SHA256

831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3
SHA512

4a11ca8da42b0ecd3c12462d56a1f4f27dcb02e6bbc4c9b8e988528b2217ebd07dcb3cfe5c51966bff0ba9dc6e44277dd21758d09f09e33d076fb3294a8a28d1

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

office101.warzonedns.com:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/files/0x0006000000022e9e-131.dat	warzonerat
behavioral2/files/0x0006000000022e9e-132.dat	warzonerat

Executes dropped EXE 1 IoCs

pid	Process
4452	images.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 4452	4228	831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3.exe	82
PID 4228 wrote to memory of 4452	4228	831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3.exe	82
PID 4228 wrote to memory of 4452	4228	831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3.exe	82

C:\Users\Admin\AppData\Local\Temp\831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3.exe
"C:\Users\Admin\AppData\Local\Temp\831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4228
- C:\ProgramData\images.exe
  "C:\ProgramData\images.exe"
  2⤵
  - Executes dropped EXE
  PID:4452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

Filesize
99KB

MD5
990a0c672b7c9b32833d8ecdd275cd81

SHA1
04d436143bfbe87f09dac7f6ecf9f6ebb68c5081

SHA256
831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3

SHA512
4a11ca8da42b0ecd3c12462d56a1f4f27dcb02e6bbc4c9b8e988528b2217ebd07dcb3cfe5c51966bff0ba9dc6e44277dd21758d09f09e33d076fb3294a8a28d1

Download Submit
C:\ProgramData\images.exe

Filesize
99KB

MD5
990a0c672b7c9b32833d8ecdd275cd81

SHA1
04d436143bfbe87f09dac7f6ecf9f6ebb68c5081

SHA256
831e4102b5901ad809e6a2b2460901b48a8c7c0a6786620e1266c51dd22777c3

SHA512
4a11ca8da42b0ecd3c12462d56a1f4f27dcb02e6bbc4c9b8e988528b2217ebd07dcb3cfe5c51966bff0ba9dc6e44277dd21758d09f09e33d076fb3294a8a28d1

Download Submit