warzonerat | 3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8

General

Target

3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe
Size

1.8MB
MD5

61bbdb549ccbc81047a83e195b00a38b
SHA1

96b4d39428e9ddff6737cd3944b303f169078ebe
SHA256

3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8
SHA512

d0c83db4127ac94a01cccc06492aed8e69d69e0cbffb602debbb67a2bbe3037221d8659bfd4987c8da06d7dcdb926eb5b65653385197fa3632c5a19f72a02633
SSDEEP

12288:ej33yzo7xhMSK4ftKDjtkii0uuDVqMnoV8WUu1HHGYnjNVoWuLD/bfsycN01/Rn:ejyQoDhxjnoV8WUu1HmoknJ

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

192.3.111.154:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2000-55-0x00000000008D0000-0x0000000000A24000-memory.dmp	warzonerat
behavioral1/memory/2000-61-0x0000000002730000-0x0000000003130000-memory.dmp	warzonerat
behavioral1/memory/1508-71-0x0000000000620000-0x0000000000774000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

itunes.exe

pid process

1508 itunes.exe

pid	process
1508	itunes.exe

Drops startup file 2 IoCs

Processes:

3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe

Loads dropped DLL 1 IoCs

Processes:

3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe

pid process

2000 3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe

pid	process
2000	3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\ProgramData\\itunes.exe"	3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe

NTFS ADS 1 IoCs

Processes:

3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe

description ioc process

File created C:\ProgramData:ApplicationData 3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

628 powershell.exe
1012 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 628 powershell.exe
Token: SeDebugPrivilege 1012 powershell.exe

description	ioc	process
File created	C:\ProgramData:ApplicationData	3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe

pid	process
628	powershell.exe
1012	powershell.exe

description	pid	process
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exeitunes.exe

description	pid	process	target process
PID 2000 wrote to memory of 628	2000	3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe	powershell.exe
PID 2000 wrote to memory of 628	2000	3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe	powershell.exe
PID 2000 wrote to memory of 628	2000	3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe	powershell.exe
PID 2000 wrote to memory of 628	2000	3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe	powershell.exe
PID 2000 wrote to memory of 1508	2000	3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe	itunes.exe
PID 2000 wrote to memory of 1508	2000	3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe	itunes.exe
PID 2000 wrote to memory of 1508	2000	3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe	itunes.exe
PID 2000 wrote to memory of 1508	2000	3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe	itunes.exe
PID 1508 wrote to memory of 1012	1508	itunes.exe	powershell.exe
PID 1508 wrote to memory of 1012	1508	itunes.exe	powershell.exe
PID 1508 wrote to memory of 1012	1508	itunes.exe	powershell.exe
PID 1508 wrote to memory of 1012	1508	itunes.exe	powershell.exe
PID 1508 wrote to memory of 436	1508	itunes.exe	cmd.exe
PID 1508 wrote to memory of 436	1508	itunes.exe	cmd.exe
PID 1508 wrote to memory of 436	1508	itunes.exe	cmd.exe
PID 1508 wrote to memory of 436	1508	itunes.exe	cmd.exe
PID 1508 wrote to memory of 436	1508	itunes.exe	cmd.exe
PID 1508 wrote to memory of 436	1508	itunes.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe
"C:\Users\Admin\AppData\Local\Temp\3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath C:\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\ProgramData\itunes.exe
  "C:\ProgramData\itunes.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\itunes.exe

Filesize
1.8MB

MD5
61bbdb549ccbc81047a83e195b00a38b

SHA1
96b4d39428e9ddff6737cd3944b303f169078ebe

SHA256
3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8

SHA512
d0c83db4127ac94a01cccc06492aed8e69d69e0cbffb602debbb67a2bbe3037221d8659bfd4987c8da06d7dcdb926eb5b65653385197fa3632c5a19f72a02633

Download Submit
C:\ProgramData\itunes.exe

Filesize
1.8MB

MD5
61bbdb549ccbc81047a83e195b00a38b

SHA1
96b4d39428e9ddff6737cd3944b303f169078ebe

SHA256
3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8

SHA512
d0c83db4127ac94a01cccc06492aed8e69d69e0cbffb602debbb67a2bbe3037221d8659bfd4987c8da06d7dcdb926eb5b65653385197fa3632c5a19f72a02633

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
04d796fe9797fc3be7ecb21d9616a499

SHA1
f398b7e2f1e4f2e880238a4e8b4237ccbcefb39b

SHA256
555c9f7af3000e4b534283dd3c32b6d8fe57c6f21910cb339946d813e86b5f75

SHA512
c374ee2e3e4a3ff9b4638d4be476ce2930949deb4d577f5d914c678caee6727774a2ce9c210e5d3965a2e39877e84b49038a53216af75ebcdbbc1bdcefa9789c

Download Submit
\ProgramData\itunes.exe

Filesize
1.8MB

MD5
61bbdb549ccbc81047a83e195b00a38b

SHA1
96b4d39428e9ddff6737cd3944b303f169078ebe

SHA256
3df212b13323638a741a6febc79f2e426775adde00e486bc52624a23da1c53b8

SHA512
d0c83db4127ac94a01cccc06492aed8e69d69e0cbffb602debbb67a2bbe3037221d8659bfd4987c8da06d7dcdb926eb5b65653385197fa3632c5a19f72a02633

Download Submit
memory/436-83-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/436-79-0x0000000000000000-mapping.dmp

Download
memory/628-68-0x0000000073A10000-0x0000000073FBB000-memory.dmp

Filesize
5.7MB

Download
memory/628-69-0x0000000073A10000-0x0000000073FBB000-memory.dmp

Filesize
5.7MB

Download
memory/628-62-0x0000000000000000-mapping.dmp

Download
memory/1012-78-0x0000000000000000-mapping.dmp

Download
memory/1012-82-0x0000000073950000-0x0000000073EFB000-memory.dmp

Filesize
5.7MB

Download
memory/1508-71-0x0000000000620000-0x0000000000774000-memory.dmp

Filesize
1.3MB

Download
memory/1508-65-0x0000000000000000-mapping.dmp

Download
memory/2000-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/2000-61-0x0000000002730000-0x0000000003130000-memory.dmp

Filesize
10.0MB

Download
memory/2000-55-0x00000000008D0000-0x0000000000A24000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads