warzonerat | 5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31

General

Target

5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exe
Size

216KB
MD5

4eac968a4fcd0e6bad79ca6eecbd08d8
SHA1

a1f8bc409f3d0df06094a5e389bf71be24f4b855
SHA256

5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31
SHA512

380b7f4519feab142495ef84f0260c1d29370acf641990df81184fdfb918070a86e8e0e62b99704ce2b0faf7ccd6cfc0eb7678288d914e351ea00eb486c8aa98
SSDEEP

6144:HKcOrIV4ILN3t1cNCUUUx/9ygRC6LcuD:HKcOrIV753t1cso/XUC

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

danbochie.dynv6.net:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1100-57-0x0000000000250000-0x000000000026A000-memory.dmp	warzonerat
behavioral1/memory/1100-59-0x0000000000400000-0x0000000000593000-memory.dmp	warzonerat
behavioral1/memory/1100-65-0x0000000000250000-0x000000000026A000-memory.dmp	warzonerat
behavioral1/memory/1100-66-0x0000000000400000-0x0000000000593000-memory.dmp	warzonerat
behavioral1/memory/656-70-0x0000000000400000-0x0000000000593000-memory.dmp	warzonerat
behavioral1/memory/656-75-0x0000000000400000-0x0000000000593000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

stages.exe

pid process

656 stages.exe

pid	process
656	stages.exe

Loads dropped DLL 2 IoCs

Processes:

5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exe

pid	process
1100	5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exe
1100	5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\stages = "C:\\ProgramData\\stages.exe"	5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exestages.exe

description	pid	process	target process
PID 1100 wrote to memory of 656	1100	5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exe	stages.exe
PID 1100 wrote to memory of 656	1100	5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exe	stages.exe
PID 1100 wrote to memory of 656	1100	5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exe	stages.exe
PID 1100 wrote to memory of 656	1100	5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exe	stages.exe
PID 656 wrote to memory of 1168	656	stages.exe	cmd.exe
PID 656 wrote to memory of 1168	656	stages.exe	cmd.exe
PID 656 wrote to memory of 1168	656	stages.exe	cmd.exe
PID 656 wrote to memory of 1168	656	stages.exe	cmd.exe
PID 656 wrote to memory of 1168	656	stages.exe	cmd.exe
PID 656 wrote to memory of 1168	656	stages.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exe
"C:\Users\Admin\AppData\Local\Temp\5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1100
- C:\ProgramData\stages.exe
  "C:\ProgramData\stages.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\stages.exe

Filesize
216KB

MD5
4eac968a4fcd0e6bad79ca6eecbd08d8

SHA1
a1f8bc409f3d0df06094a5e389bf71be24f4b855

SHA256
5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31

SHA512
380b7f4519feab142495ef84f0260c1d29370acf641990df81184fdfb918070a86e8e0e62b99704ce2b0faf7ccd6cfc0eb7678288d914e351ea00eb486c8aa98

Download Submit
C:\ProgramData\stages.exe

Filesize
216KB

MD5
4eac968a4fcd0e6bad79ca6eecbd08d8

SHA1
a1f8bc409f3d0df06094a5e389bf71be24f4b855

SHA256
5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31

SHA512
380b7f4519feab142495ef84f0260c1d29370acf641990df81184fdfb918070a86e8e0e62b99704ce2b0faf7ccd6cfc0eb7678288d914e351ea00eb486c8aa98

Download Submit
\ProgramData\stages.exe

Filesize
216KB

MD5
4eac968a4fcd0e6bad79ca6eecbd08d8

SHA1
a1f8bc409f3d0df06094a5e389bf71be24f4b855

SHA256
5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31

SHA512
380b7f4519feab142495ef84f0260c1d29370acf641990df81184fdfb918070a86e8e0e62b99704ce2b0faf7ccd6cfc0eb7678288d914e351ea00eb486c8aa98

Download Submit
\ProgramData\stages.exe

Filesize
216KB

MD5
4eac968a4fcd0e6bad79ca6eecbd08d8

SHA1
a1f8bc409f3d0df06094a5e389bf71be24f4b855

SHA256
5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31

SHA512
380b7f4519feab142495ef84f0260c1d29370acf641990df81184fdfb918070a86e8e0e62b99704ce2b0faf7ccd6cfc0eb7678288d914e351ea00eb486c8aa98

Download Submit
memory/656-67-0x0000000000738000-0x0000000000748000-memory.dmp

Filesize
64KB

Download
memory/656-75-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/656-74-0x0000000000738000-0x0000000000748000-memory.dmp

Filesize
64KB

Download
memory/656-70-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/656-69-0x0000000000738000-0x0000000000748000-memory.dmp

Filesize
64KB

Download
memory/656-62-0x0000000000000000-mapping.dmp

Download
memory/1100-59-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1100-65-0x0000000000250000-0x000000000026A000-memory.dmp

Filesize
104KB

Download
memory/1100-66-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1100-64-0x0000000000698000-0x00000000006A9000-memory.dmp

Filesize
68KB

Download
memory/1100-54-0x0000000000698000-0x00000000006A9000-memory.dmp

Filesize
68KB

Download
memory/1100-58-0x0000000000698000-0x00000000006A9000-memory.dmp

Filesize
68KB

Download
memory/1100-57-0x0000000000250000-0x000000000026A000-memory.dmp

Filesize
104KB

Download
memory/1100-56-0x0000000000698000-0x00000000006A9000-memory.dmp

Filesize
68KB

Download
memory/1100-55-0x00000000767C1000-0x00000000767C3000-memory.dmp

Filesize
8KB

Download
memory/1168-71-0x0000000000000000-mapping.dmp

Download
memory/1168-72-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads