warzonerat | 1098a175dbcd881620ff687c673c4ac3ac54f4c11482b4fe6a08515d8d180c19

General

Target

1098a175dbcd881620ff687c673c4ac3ac54f4c11482b4fe6a08515d8d180c19.exe
Size

148KB
MD5

e51e575ea8a84eb28defd07e984dab7d
SHA1

8249a68e2783d5432556956a6800dac52c27eedd
SHA256

1098a175dbcd881620ff687c673c4ac3ac54f4c11482b4fe6a08515d8d180c19
SHA512

c1904233d34fc77c84c18b19217c5cba242e1714be42ff1ad7ee041e01aa66d20aa233e6aaa9ad5b50dc685348a776eed4aa5573974c52d77d522c1747ab4f44
SSDEEP

3072:hUJoFfWzzl+cQMBIQ4vMrrEAdaQWMlrurt03gwOlEnW2be2VfdBAOPQGY:hweEx40At8wEntFHFPY

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

remote.msoftupdate.me:8443

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1936-66-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

dfxjnwl.exedfxjnwl.exe

pid process

1472 dfxjnwl.exe
1936 dfxjnwl.exe
Loads dropped DLL 2 IoCs

Processes:

1098a175dbcd881620ff687c673c4ac3ac54f4c11482b4fe6a08515d8d180c19.exedfxjnwl.exe

pid process

1504 1098a175dbcd881620ff687c673c4ac3ac54f4c11482b4fe6a08515d8d180c19.exe
1472 dfxjnwl.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

dfxjnwl.exe

description pid process target process

PID 1472 set thread context of 1936 1472 dfxjnwl.exe dfxjnwl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

dfxjnwl.exe

pid process

1472 dfxjnwl.exe

pid	process
1472	dfxjnwl.exe
1936	dfxjnwl.exe

pid	process
1504	1098a175dbcd881620ff687c673c4ac3ac54f4c11482b4fe6a08515d8d180c19.exe
1472	dfxjnwl.exe

description	pid	process	target process
PID 1472 set thread context of 1936	1472	dfxjnwl.exe	dfxjnwl.exe

pid	process
1472	dfxjnwl.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1098a175dbcd881620ff687c673c4ac3ac54f4c11482b4fe6a08515d8d180c19.exedfxjnwl.exe

description	pid	process	target process
PID 1504 wrote to memory of 1472	1504	1098a175dbcd881620ff687c673c4ac3ac54f4c11482b4fe6a08515d8d180c19.exe	dfxjnwl.exe
PID 1504 wrote to memory of 1472	1504	1098a175dbcd881620ff687c673c4ac3ac54f4c11482b4fe6a08515d8d180c19.exe	dfxjnwl.exe
PID 1504 wrote to memory of 1472	1504	1098a175dbcd881620ff687c673c4ac3ac54f4c11482b4fe6a08515d8d180c19.exe	dfxjnwl.exe
PID 1504 wrote to memory of 1472	1504	1098a175dbcd881620ff687c673c4ac3ac54f4c11482b4fe6a08515d8d180c19.exe	dfxjnwl.exe
PID 1472 wrote to memory of 1936	1472	dfxjnwl.exe	dfxjnwl.exe
PID 1472 wrote to memory of 1936	1472	dfxjnwl.exe	dfxjnwl.exe
PID 1472 wrote to memory of 1936	1472	dfxjnwl.exe	dfxjnwl.exe
PID 1472 wrote to memory of 1936	1472	dfxjnwl.exe	dfxjnwl.exe
PID 1472 wrote to memory of 1936	1472	dfxjnwl.exe	dfxjnwl.exe

C:\Users\Admin\AppData\Local\Temp\1098a175dbcd881620ff687c673c4ac3ac54f4c11482b4fe6a08515d8d180c19.exe
"C:\Users\Admin\AppData\Local\Temp\1098a175dbcd881620ff687c673c4ac3ac54f4c11482b4fe6a08515d8d180c19.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\dfxjnwl.exe
  "C:\Users\Admin\AppData\Local\Temp\dfxjnwl.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Users\Admin\AppData\Local\Temp\dfxjnwl.exe
    "C:\Users\Admin\AppData\Local\Temp\dfxjnwl.exe"
    3⤵
    - Executes dropped EXE
    PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dfxjnwl.exe

Filesize
6KB

MD5
ff5ed296edef0266a9b117651a25efff

SHA1
4bda8f64b908c095dd74c0dce6e5d8cba43e6646

SHA256
3b19a74d3054b292feb8d19090ee0be92672bb5442f8dc1e547bcf64d4b16473

SHA512
d7e0daa6145704868afc144fb3935f052bd25045e8fde2d605338644334319a465460e2467eb7478646ce4cb9fc96c0e31f8484b7039b5064a2648631c33f0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfxjnwl.exe

Filesize
6KB

MD5
ff5ed296edef0266a9b117651a25efff

SHA1
4bda8f64b908c095dd74c0dce6e5d8cba43e6646

SHA256
3b19a74d3054b292feb8d19090ee0be92672bb5442f8dc1e547bcf64d4b16473

SHA512
d7e0daa6145704868afc144fb3935f052bd25045e8fde2d605338644334319a465460e2467eb7478646ce4cb9fc96c0e31f8484b7039b5064a2648631c33f0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfxjnwl.exe

Filesize
6KB

MD5
ff5ed296edef0266a9b117651a25efff

SHA1
4bda8f64b908c095dd74c0dce6e5d8cba43e6646

SHA256
3b19a74d3054b292feb8d19090ee0be92672bb5442f8dc1e547bcf64d4b16473

SHA512
d7e0daa6145704868afc144fb3935f052bd25045e8fde2d605338644334319a465460e2467eb7478646ce4cb9fc96c0e31f8484b7039b5064a2648631c33f0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eidoidfclx.wt

Filesize
113KB

MD5
f08a5bbd647915271199081015bf040b

SHA1
8c532b08b609273f26dbabf42f94251183987f9e

SHA256
c5ef4a9e0a6b09cf1eef26504188a7fa69b43cff9ae91bfe31762c3c35d37e52

SHA512
fbf3f6a295dfc8e524fd88623f02befaf489e1d4c7bb0c0f3d39d0cb4edb160255ef1cdd09f3af605b2790df91202cd934bd85a14cb8d965e4db3db5dbd7756a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpplyrxol.tot

Filesize
5KB

MD5
a95bb0ca0ccd6e64d673d6c66fb8a1c4

SHA1
484fe89f9216cac345b8085bdb85b2e767647a28

SHA256
7f2a43cb7c051d91d0f33348c9e4d86ab4aa0cfd12a062e4f14c1d32bd95e4ca

SHA512
c8c29d90c3b3a9c9fffc328fc6215cdd1ea663c3fe579e45c588d6f95328453f97f4d5261971b8e1473daa963fee1de5e55288923264cf139a3c971b6b2451ed

Download Submit
\Users\Admin\AppData\Local\Temp\dfxjnwl.exe

Filesize
6KB

MD5
ff5ed296edef0266a9b117651a25efff

SHA1
4bda8f64b908c095dd74c0dce6e5d8cba43e6646

SHA256
3b19a74d3054b292feb8d19090ee0be92672bb5442f8dc1e547bcf64d4b16473

SHA512
d7e0daa6145704868afc144fb3935f052bd25045e8fde2d605338644334319a465460e2467eb7478646ce4cb9fc96c0e31f8484b7039b5064a2648631c33f0e1

Download Submit
\Users\Admin\AppData\Local\Temp\dfxjnwl.exe

Filesize
6KB

MD5
ff5ed296edef0266a9b117651a25efff

SHA1
4bda8f64b908c095dd74c0dce6e5d8cba43e6646

SHA256
3b19a74d3054b292feb8d19090ee0be92672bb5442f8dc1e547bcf64d4b16473

SHA512
d7e0daa6145704868afc144fb3935f052bd25045e8fde2d605338644334319a465460e2467eb7478646ce4cb9fc96c0e31f8484b7039b5064a2648631c33f0e1

Download Submit
memory/1472-56-0x0000000000000000-mapping.dmp

Download
memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1936-63-0x0000000000405CE2-mapping.dmp

Download
memory/1936-66-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing