warzonerat | 584ce9956690cdee5fc287e37ecdd55b749cf4971ec97ae169dc29fac2da9d1a

General

Target

b343f5040957ac537dcb89da8e84e0fb.exe
Size

132KB
MD5

b343f5040957ac537dcb89da8e84e0fb
SHA1

f6e156c288b3b3323fc75b99d471a5cac2938e40
SHA256

584ce9956690cdee5fc287e37ecdd55b749cf4971ec97ae169dc29fac2da9d1a
SHA512

35973f9d1fe8c823b0d8f23a5ed4f16b21648a117bed3ccb584d893e963b243ac77fd3c096ac6cb77f3d286dd379598716e77273a0f652438f01687a31ee11e5
SSDEEP

3072:K7W9jps0Tx4azG6GweOTir5axbjNCz45LT7a:KwpsERzGKurEXCzeLT7a

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

20.106.217.83:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\Documents\Load.exe	warzonerat
C:\Users\Admin\Documents\Load.exe	warzonerat
\Users\Admin\Documents\Load.exe	warzonerat
C:\Users\Admin\Documents\Load.exe	warzonerat

Executes dropped EXE 1 IoCs

Processes:

Load.exe

pid process

1088 Load.exe

pid	process
1088	Load.exe

Drops startup file 2 IoCs

Processes:

b343f5040957ac537dcb89da8e84e0fb.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	b343f5040957ac537dcb89da8e84e0fb.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	b343f5040957ac537dcb89da8e84e0fb.exe

Loads dropped DLL 2 IoCs

Processes:

b343f5040957ac537dcb89da8e84e0fb.exe

pid process

368 b343f5040957ac537dcb89da8e84e0fb.exe
368 b343f5040957ac537dcb89da8e84e0fb.exe

pid	process
368	b343f5040957ac537dcb89da8e84e0fb.exe
368	b343f5040957ac537dcb89da8e84e0fb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b343f5040957ac537dcb89da8e84e0fb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Load = "C:\\Users\\Admin\\Documents\\Load.exe"	b343f5040957ac537dcb89da8e84e0fb.exe

NTFS ADS 1 IoCs

Processes:

b343f5040957ac537dcb89da8e84e0fb.exe

description ioc process

File created C:\Users\Admin\Documents\Documents:ApplicationData b343f5040957ac537dcb89da8e84e0fb.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

912 powershell.exe
1956 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 912 powershell.exe
Token: SeDebugPrivilege 1956 powershell.exe

description	ioc	process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	b343f5040957ac537dcb89da8e84e0fb.exe

pid	process
912	powershell.exe
1956	powershell.exe

description	pid	process
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b343f5040957ac537dcb89da8e84e0fb.exeLoad.exe

description	pid	process	target process
PID 368 wrote to memory of 912	368	b343f5040957ac537dcb89da8e84e0fb.exe	powershell.exe
PID 368 wrote to memory of 912	368	b343f5040957ac537dcb89da8e84e0fb.exe	powershell.exe
PID 368 wrote to memory of 912	368	b343f5040957ac537dcb89da8e84e0fb.exe	powershell.exe
PID 368 wrote to memory of 912	368	b343f5040957ac537dcb89da8e84e0fb.exe	powershell.exe
PID 368 wrote to memory of 1088	368	b343f5040957ac537dcb89da8e84e0fb.exe	Load.exe
PID 368 wrote to memory of 1088	368	b343f5040957ac537dcb89da8e84e0fb.exe	Load.exe
PID 368 wrote to memory of 1088	368	b343f5040957ac537dcb89da8e84e0fb.exe	Load.exe
PID 368 wrote to memory of 1088	368	b343f5040957ac537dcb89da8e84e0fb.exe	Load.exe
PID 1088 wrote to memory of 1956	1088	Load.exe	powershell.exe
PID 1088 wrote to memory of 1956	1088	Load.exe	powershell.exe
PID 1088 wrote to memory of 1956	1088	Load.exe	powershell.exe
PID 1088 wrote to memory of 1956	1088	Load.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\b343f5040957ac537dcb89da8e84e0fb.exe
"C:\Users\Admin\AppData\Local\Temp\b343f5040957ac537dcb89da8e84e0fb.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath C:\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- C:\Users\Admin\Documents\Load.exe
  "C:\Users\Admin\Documents\Load.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f75f394ba7a46a213d633768f3e475ce

SHA1
73c127c3e6b781464db9613446a3a883003459db

SHA256
2e183b3bcc946848f45b4f68deac4269ce97b0f8f0dbfb11ab31373baecec5ca

SHA512
7381a0b27ac2d31d3b617ebe48c39119ef0f3d15e2b8a946d0b3dd26a9694ea3de44d32328e813dbca9bafa895af4084c1052de7deb6c45fb8a509a3edef3a5d

Download Submit
C:\Users\Admin\Documents\Load.exe

Filesize
132KB

MD5
b343f5040957ac537dcb89da8e84e0fb

SHA1
f6e156c288b3b3323fc75b99d471a5cac2938e40

SHA256
584ce9956690cdee5fc287e37ecdd55b749cf4971ec97ae169dc29fac2da9d1a

SHA512
35973f9d1fe8c823b0d8f23a5ed4f16b21648a117bed3ccb584d893e963b243ac77fd3c096ac6cb77f3d286dd379598716e77273a0f652438f01687a31ee11e5

Download Submit
C:\Users\Admin\Documents\Load.exe

Filesize
132KB

MD5
b343f5040957ac537dcb89da8e84e0fb

SHA1
f6e156c288b3b3323fc75b99d471a5cac2938e40

SHA256
584ce9956690cdee5fc287e37ecdd55b749cf4971ec97ae169dc29fac2da9d1a

SHA512
35973f9d1fe8c823b0d8f23a5ed4f16b21648a117bed3ccb584d893e963b243ac77fd3c096ac6cb77f3d286dd379598716e77273a0f652438f01687a31ee11e5

Download Submit
\Users\Admin\Documents\Load.exe

Filesize
132KB

MD5
b343f5040957ac537dcb89da8e84e0fb

SHA1
f6e156c288b3b3323fc75b99d471a5cac2938e40

SHA256
584ce9956690cdee5fc287e37ecdd55b749cf4971ec97ae169dc29fac2da9d1a

SHA512
35973f9d1fe8c823b0d8f23a5ed4f16b21648a117bed3ccb584d893e963b243ac77fd3c096ac6cb77f3d286dd379598716e77273a0f652438f01687a31ee11e5

Download Submit
\Users\Admin\Documents\Load.exe

Filesize
132KB

MD5
b343f5040957ac537dcb89da8e84e0fb

SHA1
f6e156c288b3b3323fc75b99d471a5cac2938e40

SHA256
584ce9956690cdee5fc287e37ecdd55b749cf4971ec97ae169dc29fac2da9d1a

SHA512
35973f9d1fe8c823b0d8f23a5ed4f16b21648a117bed3ccb584d893e963b243ac77fd3c096ac6cb77f3d286dd379598716e77273a0f652438f01687a31ee11e5

Download Submit
memory/368-54-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download
memory/912-55-0x0000000000000000-mapping.dmp

Download
memory/912-62-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/912-63-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/1088-59-0x0000000000000000-mapping.dmp

Download
memory/1956-65-0x0000000000000000-mapping.dmp

Download
memory/1956-68-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads