warzonerat | 0fba4fd5ff2a688d0c0c0597c84436a5adcff4c2e5396057962a121af79ad382

General

Target

3186f04f5598615272f7dcb18de5c852ba5629e8c7a381cd1630b8246ea6aab9.xll
Size

2.1MB
MD5

a97f17d7e510b0d4ec4001117a6841f1
SHA1

eb1d1ea6719cdce7888de2a92661d070867667d5
SHA256

3186f04f5598615272f7dcb18de5c852ba5629e8c7a381cd1630b8246ea6aab9
SHA512

d3941e83a3ef974c621aeef4cb4b9611e9a6a6527217ea0af6e69d0de97b877743c33ca3ec73d6d7718b8bf5033dbe190fb75a7883ceafc0d22429e94b082df4
SSDEEP

12288:BS7bj8jdxOe8bzbBSref+HvqABx5vLuW4x:B68aX1QiAr5aW4x

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

warzonerat

C2

windnsch.freeddns.org:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/376-155-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral2/memory/376-157-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral2/memory/376-159-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral2/memory/376-162-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2072	xLok.exe
3120	maintenance.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	RegAsm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	RegAsm.exe

Loads dropped DLL 2 IoCs

pid	Process
5076	EXCEL.EXE
5076	EXCEL.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\maintenance = "C:\\Users\\Admin\\Documents\\maintenance.exe"	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2072 set thread context of 376	2072	xLok.exe	91

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	RegAsm.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5076	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5076	EXCEL.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
5076	EXCEL.EXE
5076	EXCEL.EXE
5076	EXCEL.EXE
5076	EXCEL.EXE
5076	EXCEL.EXE
5076	EXCEL.EXE
5076	EXCEL.EXE
5076	EXCEL.EXE
5076	EXCEL.EXE
5076	EXCEL.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 2072	5076	EXCEL.EXE	87
PID 5076 wrote to memory of 2072	5076	EXCEL.EXE	87
PID 5076 wrote to memory of 2072	5076	EXCEL.EXE	87
PID 2072 wrote to memory of 376	2072	xLok.exe	91
PID 2072 wrote to memory of 376	2072	xLok.exe	91
PID 2072 wrote to memory of 376	2072	xLok.exe	91
PID 2072 wrote to memory of 376	2072	xLok.exe	91
PID 2072 wrote to memory of 376	2072	xLok.exe	91
PID 2072 wrote to memory of 376	2072	xLok.exe	91
PID 2072 wrote to memory of 376	2072	xLok.exe	91
PID 2072 wrote to memory of 376	2072	xLok.exe	91
PID 2072 wrote to memory of 376	2072	xLok.exe	91
PID 2072 wrote to memory of 376	2072	xLok.exe	91
PID 2072 wrote to memory of 376	2072	xLok.exe	91
PID 376 wrote to memory of 3120	376	RegAsm.exe	93
PID 376 wrote to memory of 3120	376	RegAsm.exe	93
PID 376 wrote to memory of 3120	376	RegAsm.exe	93

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\3186f04f5598615272f7dcb18de5c852ba5629e8c7a381cd1630b8246ea6aab9.xll"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Users\Admin\AppData\Local\Temp\xLok.exe
  "C:\Users\Admin\AppData\Local\Temp\xLok.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - NTFS ADS
    - Suspicious use of WriteProcessMemory
    PID:376
  - - C:\Users\Admin\Documents\maintenance.exe
      "C:\Users\Admin\Documents\maintenance.exe"
      4⤵
      Executes dropped EXE
      PID:3120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3186f04f5598615272f7dcb18de5c852ba5629e8c7a381cd1630b8246ea6aab9.xll

Filesize
2.1MB

MD5
a97f17d7e510b0d4ec4001117a6841f1

SHA1
eb1d1ea6719cdce7888de2a92661d070867667d5

SHA256
3186f04f5598615272f7dcb18de5c852ba5629e8c7a381cd1630b8246ea6aab9

SHA512
d3941e83a3ef974c621aeef4cb4b9611e9a6a6527217ea0af6e69d0de97b877743c33ca3ec73d6d7718b8bf5033dbe190fb75a7883ceafc0d22429e94b082df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3186f04f5598615272f7dcb18de5c852ba5629e8c7a381cd1630b8246ea6aab9.xll

Filesize
2.1MB

MD5
a97f17d7e510b0d4ec4001117a6841f1

SHA1
eb1d1ea6719cdce7888de2a92661d070867667d5

SHA256
3186f04f5598615272f7dcb18de5c852ba5629e8c7a381cd1630b8246ea6aab9

SHA512
d3941e83a3ef974c621aeef4cb4b9611e9a6a6527217ea0af6e69d0de97b877743c33ca3ec73d6d7718b8bf5033dbe190fb75a7883ceafc0d22429e94b082df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xLok.exe

Filesize
1.6MB

MD5
f379389ed247da4ac8338bec0367b146

SHA1
2814a670edb9433e00b3bbbd4450ffbd63e722ab

SHA256
77c781dd0394fe7dd74bd6304ec99b9b29594a14aa7633d1ecd762e3f26d7ad6

SHA512
5f9793ee52b1bb9b3973eb52926f8d487ea5b35d97a297e725f819f372128d2ee52a10f1ba56c80f6e65efb3c11fd1ace3d1329222d163b6cccadd5368e6427a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xLok.exe

Filesize
1.6MB

MD5
f379389ed247da4ac8338bec0367b146

SHA1
2814a670edb9433e00b3bbbd4450ffbd63e722ab

SHA256
77c781dd0394fe7dd74bd6304ec99b9b29594a14aa7633d1ecd762e3f26d7ad6

SHA512
5f9793ee52b1bb9b3973eb52926f8d487ea5b35d97a297e725f819f372128d2ee52a10f1ba56c80f6e65efb3c11fd1ace3d1329222d163b6cccadd5368e6427a

Download Submit
C:\Users\Admin\Documents\maintenance.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\Documents\maintenance.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
memory/376-162-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/376-159-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/376-157-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/376-155-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2072-149-0x0000000005C40000-0x00000000061E4000-memory.dmp

Filesize
5.6MB

Download
memory/2072-151-0x0000000005640000-0x000000000564A000-memory.dmp

Filesize
40KB

Download
memory/2072-148-0x0000000000AF0000-0x0000000000C9C000-memory.dmp

Filesize
1.7MB

Download
memory/2072-150-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/3120-164-0x0000000000050000-0x0000000000062000-memory.dmp

Filesize
72KB

Download
memory/5076-153-0x00000174102AC000-0x00000174102AF000-memory.dmp

Filesize
12KB

Download
memory/5076-152-0x00007FFAAC5B0000-0x00007FFAAD071000-memory.dmp

Filesize
10.8MB

Download
memory/5076-136-0x00007FFA96690000-0x00007FFA966A0000-memory.dmp

Filesize
64KB

Download
memory/5076-144-0x00000174102AC000-0x00000174102AF000-memory.dmp

Filesize
12KB

Download
memory/5076-143-0x00007FFAAC5B0000-0x00007FFAAD071000-memory.dmp

Filesize
10.8MB

Download
memory/5076-134-0x00007FFA96690000-0x00007FFA966A0000-memory.dmp

Filesize
64KB

Download
memory/5076-140-0x0000017407E60000-0x0000017408092000-memory.dmp

Filesize
2.2MB

Download
memory/5076-132-0x00007FFA96690000-0x00007FFA966A0000-memory.dmp

Filesize
64KB

Download
memory/5076-135-0x00007FFA96690000-0x00007FFA966A0000-memory.dmp

Filesize
64KB

Download
memory/5076-138-0x00007FFA93F80000-0x00007FFA93F90000-memory.dmp

Filesize
64KB

Download
memory/5076-137-0x00007FFA93F80000-0x00007FFA93F90000-memory.dmp

Filesize
64KB

Download
memory/5076-133-0x00007FFA96690000-0x00007FFA966A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads