warzonerat | 5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31

General

Target

5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exe
Size

216KB
MD5

4eac968a4fcd0e6bad79ca6eecbd08d8
SHA1

a1f8bc409f3d0df06094a5e389bf71be24f4b855
SHA256

5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31
SHA512

380b7f4519feab142495ef84f0260c1d29370acf641990df81184fdfb918070a86e8e0e62b99704ce2b0faf7ccd6cfc0eb7678288d914e351ea00eb486c8aa98
SSDEEP

6144:HKcOrIV4ILN3t1cNCUUUx/9ygRC6LcuD:HKcOrIV753t1cso/XUC

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

danbochie.dynv6.net:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4856-133-0x00000000005A0000-0x00000000005BA000-memory.dmp	warzonerat
behavioral2/memory/4856-134-0x0000000000400000-0x0000000000593000-memory.dmp	warzonerat
behavioral2/memory/4856-139-0x00000000005A0000-0x00000000005BA000-memory.dmp	warzonerat
behavioral2/memory/4856-140-0x0000000000400000-0x0000000000593000-memory.dmp	warzonerat
behavioral2/memory/4772-142-0x0000000000400000-0x0000000000593000-memory.dmp	warzonerat
behavioral2/memory/4772-145-0x0000000000400000-0x0000000000593000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

stages.exe

pid process

4772 stages.exe

pid	process
4772	stages.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\stages = "C:\\ProgramData\\stages.exe"	5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2360 4856 WerFault.exe 5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exe

pid	pid_target	process	target process
2360	4856	WerFault.exe	5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exestages.exe

description	pid	process	target process
PID 4856 wrote to memory of 4772	4856	5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exe	stages.exe
PID 4856 wrote to memory of 4772	4856	5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exe	stages.exe
PID 4856 wrote to memory of 4772	4856	5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exe	stages.exe
PID 4772 wrote to memory of 4120	4772	stages.exe	cmd.exe
PID 4772 wrote to memory of 4120	4772	stages.exe	cmd.exe
PID 4772 wrote to memory of 4120	4772	stages.exe	cmd.exe
PID 4772 wrote to memory of 4120	4772	stages.exe	cmd.exe
PID 4772 wrote to memory of 4120	4772	stages.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exe
"C:\Users\Admin\AppData\Local\Temp\5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4856

C:\ProgramData\stages.exe
"C:\ProgramData\stages.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 864
2⤵
- Program crash
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4856 -ip 4856
1⤵
PID:4736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\stages.exe
Filesize
216KB

MD5
4eac968a4fcd0e6bad79ca6eecbd08d8

SHA1
a1f8bc409f3d0df06094a5e389bf71be24f4b855

SHA256
5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31

SHA512
380b7f4519feab142495ef84f0260c1d29370acf641990df81184fdfb918070a86e8e0e62b99704ce2b0faf7ccd6cfc0eb7678288d914e351ea00eb486c8aa98

Download Submit
C:\ProgramData\stages.exe
Filesize
216KB

MD5
4eac968a4fcd0e6bad79ca6eecbd08d8

SHA1
a1f8bc409f3d0df06094a5e389bf71be24f4b855

SHA256
5d5e419a42d86763932c38d996c8e59c0b30e093bddcd5cb2cf09c07635b7a31

SHA512
380b7f4519feab142495ef84f0260c1d29370acf641990df81184fdfb918070a86e8e0e62b99704ce2b0faf7ccd6cfc0eb7678288d914e351ea00eb486c8aa98

Download Submit
memory/4120-144-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/4120-141-0x0000000000000000-mapping.dmp

Download
memory/4772-142-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4772-146-0x00000000006D3000-0x00000000006E3000-memory.dmp

Filesize
64KB

Download
memory/4772-145-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4772-135-0x0000000000000000-mapping.dmp

Download
memory/4772-143-0x00000000006D3000-0x00000000006E3000-memory.dmp

Filesize
64KB

Download
memory/4856-138-0x00000000005E2000-0x00000000005F2000-memory.dmp

Filesize
64KB

Download
memory/4856-140-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4856-139-0x00000000005A0000-0x00000000005BA000-memory.dmp

Filesize
104KB

Download
memory/4856-132-0x00000000005E2000-0x00000000005F2000-memory.dmp

Filesize
64KB

Download
memory/4856-134-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4856-133-0x00000000005A0000-0x00000000005BA000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads