warzonerat | 5e47be22f5e470990084884a07f41c0f997c24ae37b26d8f41b01776bbc6588b

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
13-11-2022 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windll32.exe
Size

144KB
MD5

64fac32b120e4ff32d2b630b034475be
SHA1

081605cd23a89a864fa4e4e16f00329cd9cdfc10
SHA256

5e47be22f5e470990084884a07f41c0f997c24ae37b26d8f41b01776bbc6588b
SHA512

e5febfd95602f42431ed03df46387ba95324b20f8fadb32b2fe9cfbf8ae1b740e7e6cdd3ed78db08e0ea58b9d3bfd915a0cb863cf570ce2c75ff80986a33b768
SSDEEP

3072:F7W9jps0Tx4azG6GweOTir5axbjNCz45LT7auXkP0N:FwpsERzGKurEXCzeLT7auX1N

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

162.55.126.123:1111

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\Documents\images.exe	warzonerat
\Users\Admin\Documents\images.exe	warzonerat
C:\Users\Admin\Documents\images.exe	warzonerat
C:\Users\Admin\Documents\images.exe	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

1316 images.exe
Loads dropped DLL 2 IoCs

Processes:

windll32.exe

pid process

1996 windll32.exe
1996 windll32.exe

pid	process
1316	images.exe

pid	process
1996	windll32.exe
1996	windll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

windll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\Documents\\images.exe"	windll32.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

windll32.exeimages.exe

description	pid	process	target process
PID 1996 wrote to memory of 1316	1996	windll32.exe	images.exe
PID 1996 wrote to memory of 1316	1996	windll32.exe	images.exe
PID 1996 wrote to memory of 1316	1996	windll32.exe	images.exe
PID 1996 wrote to memory of 1316	1996	windll32.exe	images.exe
PID 1316 wrote to memory of 940	1316	images.exe	cmd.exe
PID 1316 wrote to memory of 940	1316	images.exe	cmd.exe
PID 1316 wrote to memory of 940	1316	images.exe	cmd.exe
PID 1316 wrote to memory of 940	1316	images.exe	cmd.exe
PID 1316 wrote to memory of 940	1316	images.exe	cmd.exe
PID 1316 wrote to memory of 940	1316	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\windll32.exe
"C:\Users\Admin\AppData\Local\Temp\windll32.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\Documents\images.exe
"C:\Users\Admin\Documents\images.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\images.exe
Filesize
144KB

MD5
64fac32b120e4ff32d2b630b034475be

SHA1
081605cd23a89a864fa4e4e16f00329cd9cdfc10

SHA256
5e47be22f5e470990084884a07f41c0f997c24ae37b26d8f41b01776bbc6588b

SHA512
e5febfd95602f42431ed03df46387ba95324b20f8fadb32b2fe9cfbf8ae1b740e7e6cdd3ed78db08e0ea58b9d3bfd915a0cb863cf570ce2c75ff80986a33b768

Download Submit
C:\Users\Admin\Documents\images.exe
Filesize
144KB

MD5
64fac32b120e4ff32d2b630b034475be

SHA1
081605cd23a89a864fa4e4e16f00329cd9cdfc10

SHA256
5e47be22f5e470990084884a07f41c0f997c24ae37b26d8f41b01776bbc6588b

SHA512
e5febfd95602f42431ed03df46387ba95324b20f8fadb32b2fe9cfbf8ae1b740e7e6cdd3ed78db08e0ea58b9d3bfd915a0cb863cf570ce2c75ff80986a33b768

Download Submit
\Users\Admin\Documents\images.exe
Filesize
144KB

MD5
64fac32b120e4ff32d2b630b034475be

SHA1
081605cd23a89a864fa4e4e16f00329cd9cdfc10

SHA256
5e47be22f5e470990084884a07f41c0f997c24ae37b26d8f41b01776bbc6588b

SHA512
e5febfd95602f42431ed03df46387ba95324b20f8fadb32b2fe9cfbf8ae1b740e7e6cdd3ed78db08e0ea58b9d3bfd915a0cb863cf570ce2c75ff80986a33b768

Download Submit
\Users\Admin\Documents\images.exe
Filesize
144KB

MD5
64fac32b120e4ff32d2b630b034475be

SHA1
081605cd23a89a864fa4e4e16f00329cd9cdfc10

SHA256
5e47be22f5e470990084884a07f41c0f997c24ae37b26d8f41b01776bbc6588b

SHA512
e5febfd95602f42431ed03df46387ba95324b20f8fadb32b2fe9cfbf8ae1b740e7e6cdd3ed78db08e0ea58b9d3bfd915a0cb863cf570ce2c75ff80986a33b768

Download Submit
memory/940-61-0x0000000000000000-mapping.dmp

Download
memory/940-62-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1316-57-0x0000000000000000-mapping.dmp

Download
memory/1996-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download