warzonerat | 04358cf18a40cd84d8228374ba2909c7bddff434c1fa8aa9f90340a8ca8ed677

General

Target

file.exe
Size

375KB
MD5

b39590e4dfa1e1cd65137ea39516f2ab
SHA1

5288b6d596ee722f91d433de71a34951834034a2
SHA256

04358cf18a40cd84d8228374ba2909c7bddff434c1fa8aa9f90340a8ca8ed677
SHA512

deedbf0a960fdce33771971a388a31a02b60bc7d1537d55b6fd02ebfc1ba687ff3346cd68460d80b2b534c053677ffb33fdaa57d21a84e52f717ed112e28842a
SSDEEP

6144:9Ea0HdHIKAkhemyJ+NUIusCYwzCziHlLWtDdDVtAt7ASDcWejvXwh+Le/yBHmHA0:kUkbNDusniFithD08SDcXjvSke/y/un

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

maulo.duckdns.org:6269

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/868-66-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

jbxarogvjr.exejbxarogvjr.exe

pid process

296 jbxarogvjr.exe
868 jbxarogvjr.exe
Loads dropped DLL 2 IoCs

Processes:

file.exejbxarogvjr.exe

pid process

956 file.exe
296 jbxarogvjr.exe

pid	process
296	jbxarogvjr.exe
868	jbxarogvjr.exe

pid	process
956	file.exe
296	jbxarogvjr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jbxarogvjr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\txhebpkmn = "C:\\Users\\Admin\\AppData\\Roaming\\jjeyhwddvbpjyk\\oytsgghavj.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\jbxarogvjr.exe\""	jbxarogvjr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

jbxarogvjr.exe

description pid process target process

PID 296 set thread context of 868 296 jbxarogvjr.exe jbxarogvjr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

jbxarogvjr.exe

pid process

296 jbxarogvjr.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

jbxarogvjr.exe

pid process

868 jbxarogvjr.exe

description	pid	process	target process
PID 296 set thread context of 868	296	jbxarogvjr.exe	jbxarogvjr.exe

pid	process
296	jbxarogvjr.exe

pid	process
868	jbxarogvjr.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

file.exejbxarogvjr.exe

description	pid	process	target process
PID 956 wrote to memory of 296	956	file.exe	jbxarogvjr.exe
PID 956 wrote to memory of 296	956	file.exe	jbxarogvjr.exe
PID 956 wrote to memory of 296	956	file.exe	jbxarogvjr.exe
PID 956 wrote to memory of 296	956	file.exe	jbxarogvjr.exe
PID 296 wrote to memory of 868	296	jbxarogvjr.exe	jbxarogvjr.exe
PID 296 wrote to memory of 868	296	jbxarogvjr.exe	jbxarogvjr.exe
PID 296 wrote to memory of 868	296	jbxarogvjr.exe	jbxarogvjr.exe
PID 296 wrote to memory of 868	296	jbxarogvjr.exe	jbxarogvjr.exe
PID 296 wrote to memory of 868	296	jbxarogvjr.exe	jbxarogvjr.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Local\Temp\jbxarogvjr.exe
  "C:\Users\Admin\AppData\Local\Temp\jbxarogvjr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:296
- - C:\Users\Admin\AppData\Local\Temp\jbxarogvjr.exe
    "C:\Users\Admin\AppData\Local\Temp\jbxarogvjr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iftlftqp.d

Filesize
98KB

MD5
3e3197a5c8d9ee9e91c50d914e7e0465

SHA1
1198b3688fc3952c18d899caf6c18fefc15a92ba

SHA256
a5216b0f9b2a6c81ee7fa539ecb9d8b89a847041208bb32e95fcc182d20dbe9c

SHA512
c895112d25037203d5bceb38c406e82c26b5a0bd813591b19f851328c71372a41f5726a3e19d8514d34b286c7012b2cc39f52a96520468333b15312b881807bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbxarogvjr.exe

Filesize
350KB

MD5
c690e0238cc85ee4550d98ce8fac77fe

SHA1
9ba3660dcbfe80d98279dc80f973721d87cf3fda

SHA256
2e812c9499e40c249fb7866b022d67b7dcf8544fadf81017b0e593705db56a1e

SHA512
4fea612105a33ec95d89279fc5095afcbff34522a2a08ba2ff67bf0dce274f802d2ce9c0839c4b856a85155bdcc1eff50db2890e608044944e9fb3578974ec47

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbxarogvjr.exe

Filesize
350KB

MD5
c690e0238cc85ee4550d98ce8fac77fe

SHA1
9ba3660dcbfe80d98279dc80f973721d87cf3fda

SHA256
2e812c9499e40c249fb7866b022d67b7dcf8544fadf81017b0e593705db56a1e

SHA512
4fea612105a33ec95d89279fc5095afcbff34522a2a08ba2ff67bf0dce274f802d2ce9c0839c4b856a85155bdcc1eff50db2890e608044944e9fb3578974ec47

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbxarogvjr.exe

Filesize
350KB

MD5
c690e0238cc85ee4550d98ce8fac77fe

SHA1
9ba3660dcbfe80d98279dc80f973721d87cf3fda

SHA256
2e812c9499e40c249fb7866b022d67b7dcf8544fadf81017b0e593705db56a1e

SHA512
4fea612105a33ec95d89279fc5095afcbff34522a2a08ba2ff67bf0dce274f802d2ce9c0839c4b856a85155bdcc1eff50db2890e608044944e9fb3578974ec47

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhacj.zf

Filesize
7KB

MD5
058b35489ca820e90447ba582dbdd3fa

SHA1
be42a91f8a3848bec4afae73c9f65c25fb68c6ea

SHA256
14459d302d06528a8f447cd63ebb31dacae4656943ebe75b67d032b030080abd

SHA512
9cce193f676e7ac667ff9dcadfe09e788359114370467cd54f5fcdeae7ab5f14d8e24ce495fc158a286e44979afdd431d3887782a2db8fbf82bcf53e221a6a35

Download Submit
\Users\Admin\AppData\Local\Temp\jbxarogvjr.exe

Filesize
350KB

MD5
c690e0238cc85ee4550d98ce8fac77fe

SHA1
9ba3660dcbfe80d98279dc80f973721d87cf3fda

SHA256
2e812c9499e40c249fb7866b022d67b7dcf8544fadf81017b0e593705db56a1e

SHA512
4fea612105a33ec95d89279fc5095afcbff34522a2a08ba2ff67bf0dce274f802d2ce9c0839c4b856a85155bdcc1eff50db2890e608044944e9fb3578974ec47

Download Submit
\Users\Admin\AppData\Local\Temp\jbxarogvjr.exe

Filesize
350KB

MD5
c690e0238cc85ee4550d98ce8fac77fe

SHA1
9ba3660dcbfe80d98279dc80f973721d87cf3fda

SHA256
2e812c9499e40c249fb7866b022d67b7dcf8544fadf81017b0e593705db56a1e

SHA512
4fea612105a33ec95d89279fc5095afcbff34522a2a08ba2ff67bf0dce274f802d2ce9c0839c4b856a85155bdcc1eff50db2890e608044944e9fb3578974ec47

Download Submit
memory/296-56-0x0000000000000000-mapping.dmp

Download
memory/868-63-0x0000000000405738-mapping.dmp

Download
memory/868-66-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/956-54-0x0000000075491000-0x0000000075493000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads