warzonerat | 9f7d82aeddf916d2afbdee07a61a080d9dced51adc79851930de708318bea5ca

General

Target

Purchase Order No. W2201091.exe
Size

394KB
MD5

7bd1be0230d05485cf9999ea0373417b
SHA1

a1945c82e3513dd9e1ac3f337a262a8cbf9e6957
SHA256

9f7d82aeddf916d2afbdee07a61a080d9dced51adc79851930de708318bea5ca
SHA512

4a7d164a9810125d4e1ebeaa3f89a8fb172cd6021c5fcc3fa1c1b21b7a8ca4321c297ecf29a4dd25d06196e0bed38a279cba2d9b135e9e36db2c1a82461f26b6
SSDEEP

12288:K04sGNn/lBij2l0/eGRYpyuD8Iy/Je/XCGb32Udv72ikJSurBlWAKdagiEZIxZni:K04sGNn/lBij2l0/eGRYpyuD8Iy/Je/l

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

rajsavindia.hopto.org:5067

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/520-66-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

hyetisbuqv.exehyetisbuqv.exe

pid process

580 hyetisbuqv.exe
520 hyetisbuqv.exe
Loads dropped DLL 2 IoCs

Processes:

Purchase Order No. W2201091.exehyetisbuqv.exe

pid process

336 Purchase Order No. W2201091.exe
580 hyetisbuqv.exe

pid	process
580	hyetisbuqv.exe
520	hyetisbuqv.exe

pid	process
336	Purchase Order No. W2201091.exe
580	hyetisbuqv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hyetisbuqv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\yufa = "C:\\Users\\Admin\\AppData\\Roaming\\getkmbjbvp\\fbtval.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hyetisbuqv.exe\" C:\\Users\\Admin\\AppData\\Loc"	hyetisbuqv.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

hyetisbuqv.exe

description pid process target process

PID 580 set thread context of 520 580 hyetisbuqv.exe hyetisbuqv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

hyetisbuqv.exe

pid process

580 hyetisbuqv.exe

description	pid	process	target process
PID 580 set thread context of 520	580	hyetisbuqv.exe	hyetisbuqv.exe

pid	process
580	hyetisbuqv.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Purchase Order No. W2201091.exehyetisbuqv.exe

description	pid	process	target process
PID 336 wrote to memory of 580	336	Purchase Order No. W2201091.exe	hyetisbuqv.exe
PID 336 wrote to memory of 580	336	Purchase Order No. W2201091.exe	hyetisbuqv.exe
PID 336 wrote to memory of 580	336	Purchase Order No. W2201091.exe	hyetisbuqv.exe
PID 336 wrote to memory of 580	336	Purchase Order No. W2201091.exe	hyetisbuqv.exe
PID 580 wrote to memory of 520	580	hyetisbuqv.exe	hyetisbuqv.exe
PID 580 wrote to memory of 520	580	hyetisbuqv.exe	hyetisbuqv.exe
PID 580 wrote to memory of 520	580	hyetisbuqv.exe	hyetisbuqv.exe
PID 580 wrote to memory of 520	580	hyetisbuqv.exe	hyetisbuqv.exe
PID 580 wrote to memory of 520	580	hyetisbuqv.exe	hyetisbuqv.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order No. W2201091.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order No. W2201091.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:336
- C:\Users\Admin\AppData\Local\Temp\hyetisbuqv.exe
  "C:\Users\Admin\AppData\Local\Temp\hyetisbuqv.exe" C:\Users\Admin\AppData\Local\Temp\bwtiynau.djt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Users\Admin\AppData\Local\Temp\hyetisbuqv.exe
    "C:\Users\Admin\AppData\Local\Temp\hyetisbuqv.exe" C:\Users\Admin\AppData\Local\Temp\bwtiynau.djt
    3⤵
    - Executes dropped EXE
    PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bwtiynau.djt

Filesize
7KB

MD5
111562ffcf5fac11ef02a2be968273da

SHA1
0c1fd3d762e0e0bf665a290863a5d1d4b9de84b8

SHA256
0e8d99a7910206261716b7261c5b08d0f0fa3389a97999ffef4bb08673e3c900

SHA512
833dcab4b731d89a6588378d4a5bc5ac69f8251e99bc7ca202c2ded683ac80c2127de981ddba057c3ea5d75ba7cc3ae3c21f898d8eed7ff58ce189b9164bc451

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzukz.qrs

Filesize
113KB

MD5
de93ea09de219169a7267658b989680a

SHA1
2b93a5edcc9cdbea500613a0a7f1dd037c522a55

SHA256
4837e0ed21103f3575bcd63a820e6e69abbd9c34d4acecc08caa99b9b7425540

SHA512
519348e4a7f9d081a0578cc126a52c980efbb2a265bd34aaf326701816fe33ce8386f8698e4d5be096897f771caeff671ea826ea744769a974dc5ab356140680

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyetisbuqv.exe

Filesize
92KB

MD5
0a3afff842e15764ce7ac183496550dd

SHA1
d9e12b137f0245afc7e50ebddf1b2bc0ab42793e

SHA256
21348d88e12cf80fda359ce325de36ade65df38a94881553c3f96a2273a6dc41

SHA512
205495455d9d01d6239f3a10026f285db289e2608c7323d5b1d191df226ac5fcd4c37f3cba9ad53bb06aee158c35862f5d189b61d83d9d4fcb6c3d9f2678eaf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyetisbuqv.exe

Filesize
92KB

MD5
0a3afff842e15764ce7ac183496550dd

SHA1
d9e12b137f0245afc7e50ebddf1b2bc0ab42793e

SHA256
21348d88e12cf80fda359ce325de36ade65df38a94881553c3f96a2273a6dc41

SHA512
205495455d9d01d6239f3a10026f285db289e2608c7323d5b1d191df226ac5fcd4c37f3cba9ad53bb06aee158c35862f5d189b61d83d9d4fcb6c3d9f2678eaf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyetisbuqv.exe

Filesize
92KB

MD5
0a3afff842e15764ce7ac183496550dd

SHA1
d9e12b137f0245afc7e50ebddf1b2bc0ab42793e

SHA256
21348d88e12cf80fda359ce325de36ade65df38a94881553c3f96a2273a6dc41

SHA512
205495455d9d01d6239f3a10026f285db289e2608c7323d5b1d191df226ac5fcd4c37f3cba9ad53bb06aee158c35862f5d189b61d83d9d4fcb6c3d9f2678eaf3

Download Submit
\Users\Admin\AppData\Local\Temp\hyetisbuqv.exe

Filesize
92KB

MD5
0a3afff842e15764ce7ac183496550dd

SHA1
d9e12b137f0245afc7e50ebddf1b2bc0ab42793e

SHA256
21348d88e12cf80fda359ce325de36ade65df38a94881553c3f96a2273a6dc41

SHA512
205495455d9d01d6239f3a10026f285db289e2608c7323d5b1d191df226ac5fcd4c37f3cba9ad53bb06aee158c35862f5d189b61d83d9d4fcb6c3d9f2678eaf3

Download Submit
\Users\Admin\AppData\Local\Temp\hyetisbuqv.exe

Filesize
92KB

MD5
0a3afff842e15764ce7ac183496550dd

SHA1
d9e12b137f0245afc7e50ebddf1b2bc0ab42793e

SHA256
21348d88e12cf80fda359ce325de36ade65df38a94881553c3f96a2273a6dc41

SHA512
205495455d9d01d6239f3a10026f285db289e2608c7323d5b1d191df226ac5fcd4c37f3cba9ad53bb06aee158c35862f5d189b61d83d9d4fcb6c3d9f2678eaf3

Download Submit
memory/336-54-0x0000000076B51000-0x0000000076B53000-memory.dmp

Filesize
8KB

Download
memory/520-63-0x0000000000405CE2-mapping.dmp

Download
memory/520-66-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/580-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads