warzonerat | c2737f26a23c6d9dcdd21f052f85414c3a2b92455df9173c7a9874a52f438233

General

Target

31746508b5cda8badec446cbb60b356e.exe
Size

113KB
MD5

31746508b5cda8badec446cbb60b356e
SHA1

6b580b84b6170265e9d52439d2c5384a762e65fe
SHA256

c2737f26a23c6d9dcdd21f052f85414c3a2b92455df9173c7a9874a52f438233
SHA512

9a7156e5dd819f486b34601c0be9d30c251cc04cb28d6751e9dc35fa691efff8884972edc08712bb888934bb38a8a1c380d7dc05ec10502adda995ea4d74711e
SSDEEP

1536:h0jP7/L1B5rVmN8sxHv2M28ix8EUaJxWhPmB4u0OVE01W:K1VmhaH8EFvWY0OVE0g

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

31746508b5cda8badec446cbb60b356e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll"	31746508b5cda8badec446cbb60b356e.exe

Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

2892 svchost.exe

pid	process
2892	svchost.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

31746508b5cda8badec446cbb60b356e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	31746508b5cda8badec446cbb60b356e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	31746508b5cda8badec446cbb60b356e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\dIhubuo = "0"	31746508b5cda8badec446cbb60b356e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	31746508b5cda8badec446cbb60b356e.exe

Drops file in System32 directory 1 IoCs

Processes:

31746508b5cda8badec446cbb60b356e.exe

description ioc process

File created C:\Windows\System32\rfxvmt.dll 31746508b5cda8badec446cbb60b356e.exe

description	ioc	process
File created	C:\Windows\System32\rfxvmt.dll	31746508b5cda8badec446cbb60b356e.exe

Drops file in Program Files directory 2 IoCs

Processes:

31746508b5cda8badec446cbb60b356e.exe

description	ioc	process
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	31746508b5cda8badec446cbb60b356e.exe
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	31746508b5cda8badec446cbb60b356e.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

svchost.exe

pid process

2892 svchost.exe
2892 svchost.exe
2892 svchost.exe
2892 svchost.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

648
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

31746508b5cda8badec446cbb60b356e.exesvchost.exe

description pid process

Token: SeDebugPrivilege 4660 31746508b5cda8badec446cbb60b356e.exe
Token: SeAuditPrivilege 2892 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

31746508b5cda8badec446cbb60b356e.exe

pid process

4660 31746508b5cda8badec446cbb60b356e.exe

pid	process
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe
2892	svchost.exe

pid	process
648

description	pid	process
Token: SeDebugPrivilege	4660	31746508b5cda8badec446cbb60b356e.exe
Token: SeAuditPrivilege	2892	svchost.exe

pid	process
4660	31746508b5cda8badec446cbb60b356e.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

31746508b5cda8badec446cbb60b356e.exe

description	pid	process	target process
PID 4660 wrote to memory of 3920	4660	31746508b5cda8badec446cbb60b356e.exe	cmd.exe
PID 4660 wrote to memory of 3920	4660	31746508b5cda8badec446cbb60b356e.exe	cmd.exe
PID 4660 wrote to memory of 3920	4660	31746508b5cda8badec446cbb60b356e.exe	cmd.exe
PID 4660 wrote to memory of 3920	4660	31746508b5cda8badec446cbb60b356e.exe	cmd.exe
PID 4660 wrote to memory of 3920	4660	31746508b5cda8badec446cbb60b356e.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\31746508b5cda8badec446cbb60b356e.exe
"C:\Users\Admin\AppData\Local\Temp\31746508b5cda8badec446cbb60b356e.exe"
1⤵
- Sets DLL path for service in the registry
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:2264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft DN1\sqlmap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\??\c:\program files\microsoft dn1\rdpwrap.ini

Filesize
177KB

MD5
6bc395161b04aa555d5a4e8eb8320020

SHA1
f18544faa4bd067f6773a373d580e111b0c8c300

SHA256
23390dfcda60f292ba1e52abb5ba2f829335351f4f9b1d33a9a6ad7a9bf5e2be

SHA512
679ac80c26422667ca5f2a6d9f0e022ef76bc9b09f97ad390b81f2e286446f0658524ccc8346a6e79d10e42131bc428f7c0ce4541d44d83af8134c499436daae

Download Submit
\??\c:\program files\microsoft dn1\sqlmap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
memory/3920-132-0x0000000000000000-mapping.dmp

Download
memory/3920-133-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/4660-134-0x0000000004050000-0x00000000041F0000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads