warzonerat | 584ce9956690cdee5fc287e37ecdd55b749cf4971ec97ae169dc29fac2da9d1a

General

Target

b343f5040957ac537dcb89da8e84e0fb.exe
Size

132KB
MD5

b343f5040957ac537dcb89da8e84e0fb
SHA1

f6e156c288b3b3323fc75b99d471a5cac2938e40
SHA256

584ce9956690cdee5fc287e37ecdd55b749cf4971ec97ae169dc29fac2da9d1a
SHA512

35973f9d1fe8c823b0d8f23a5ed4f16b21648a117bed3ccb584d893e963b243ac77fd3c096ac6cb77f3d286dd379598716e77273a0f652438f01687a31ee11e5
SSDEEP

3072:K7W9jps0Tx4azG6GweOTir5axbjNCz45LT7a:KwpsERzGKurEXCzeLT7a

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

20.106.217.83:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Documents\Load.exe	warzonerat
C:\Users\Admin\Documents\Load.exe	warzonerat

Executes dropped EXE 1 IoCs

Processes:

Load.exe

pid process

176 Load.exe

pid	process
176	Load.exe

Drops startup file 2 IoCs

Processes:

b343f5040957ac537dcb89da8e84e0fb.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	b343f5040957ac537dcb89da8e84e0fb.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	b343f5040957ac537dcb89da8e84e0fb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b343f5040957ac537dcb89da8e84e0fb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Load = "C:\\Users\\Admin\\Documents\\Load.exe"	b343f5040957ac537dcb89da8e84e0fb.exe

NTFS ADS 1 IoCs

Processes:

b343f5040957ac537dcb89da8e84e0fb.exe

description ioc process

File created C:\Users\Admin\Documents\Documents:ApplicationData b343f5040957ac537dcb89da8e84e0fb.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

452 powershell.exe
452 powershell.exe
3968 powershell.exe
3968 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 452 powershell.exe
Token: SeDebugPrivilege 3968 powershell.exe

description	ioc	process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	b343f5040957ac537dcb89da8e84e0fb.exe

pid	process
452	powershell.exe
452	powershell.exe
3968	powershell.exe
3968	powershell.exe

description	pid	process
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b343f5040957ac537dcb89da8e84e0fb.exeLoad.exe

description	pid	process	target process
PID 3736 wrote to memory of 452	3736	b343f5040957ac537dcb89da8e84e0fb.exe	powershell.exe
PID 3736 wrote to memory of 452	3736	b343f5040957ac537dcb89da8e84e0fb.exe	powershell.exe
PID 3736 wrote to memory of 452	3736	b343f5040957ac537dcb89da8e84e0fb.exe	powershell.exe
PID 3736 wrote to memory of 176	3736	b343f5040957ac537dcb89da8e84e0fb.exe	Load.exe
PID 3736 wrote to memory of 176	3736	b343f5040957ac537dcb89da8e84e0fb.exe	Load.exe
PID 3736 wrote to memory of 176	3736	b343f5040957ac537dcb89da8e84e0fb.exe	Load.exe
PID 176 wrote to memory of 3968	176	Load.exe	powershell.exe
PID 176 wrote to memory of 3968	176	Load.exe	powershell.exe
PID 176 wrote to memory of 3968	176	Load.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\b343f5040957ac537dcb89da8e84e0fb.exe
"C:\Users\Admin\AppData\Local\Temp\b343f5040957ac537dcb89da8e84e0fb.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Users\Admin\Documents\Load.exe
"C:\Users\Admin\Documents\Load.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
b59955ba0e723291f6ffb19a570e9f64

SHA1
9435d01ff2945108d3cee10bf2c4ad8d0e176155

SHA256
1551641ae5d26ff6384572843f3a4b9cb393c5e30fae3af638b9ea515daf213a

SHA512
fac34811b027bfd4a67bcdf6c22483079327dcdd5cf69b5cacd771067e1b74d66c56191f26b4e53dd05a51080c57339da0a5a88ca6fb7f8d76df7e174a8d724c

Download Submit
C:\Users\Admin\Documents\Load.exe
Filesize
132KB

MD5
b343f5040957ac537dcb89da8e84e0fb

SHA1
f6e156c288b3b3323fc75b99d471a5cac2938e40

SHA256
584ce9956690cdee5fc287e37ecdd55b749cf4971ec97ae169dc29fac2da9d1a

SHA512
35973f9d1fe8c823b0d8f23a5ed4f16b21648a117bed3ccb584d893e963b243ac77fd3c096ac6cb77f3d286dd379598716e77273a0f652438f01687a31ee11e5

Download Submit
C:\Users\Admin\Documents\Load.exe
Filesize
132KB

MD5
b343f5040957ac537dcb89da8e84e0fb

SHA1
f6e156c288b3b3323fc75b99d471a5cac2938e40

SHA256
584ce9956690cdee5fc287e37ecdd55b749cf4971ec97ae169dc29fac2da9d1a

SHA512
35973f9d1fe8c823b0d8f23a5ed4f16b21648a117bed3ccb584d893e963b243ac77fd3c096ac6cb77f3d286dd379598716e77273a0f652438f01687a31ee11e5

Download Submit
memory/176-139-0x0000000000000000-mapping.dmp

Download
memory/452-144-0x0000000070910000-0x000000007095C000-memory.dmp

Filesize
304KB

Download
memory/452-146-0x00000000076D0000-0x0000000007D4A000-memory.dmp

Filesize
6.5MB

Download
memory/452-137-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/452-136-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/452-135-0x0000000004EF0000-0x0000000004F12000-memory.dmp

Filesize
136KB

Download
memory/452-138-0x0000000004AF0000-0x0000000004B0E000-memory.dmp

Filesize
120KB

Download
memory/452-143-0x0000000006370000-0x00000000063A2000-memory.dmp

Filesize
200KB

Download
memory/452-132-0x0000000000000000-mapping.dmp

Download
memory/452-145-0x0000000006330000-0x000000000634E000-memory.dmp

Filesize
120KB

Download
memory/452-134-0x0000000004F70000-0x0000000005598000-memory.dmp

Filesize
6.2MB

Download
memory/452-147-0x0000000007090000-0x00000000070AA000-memory.dmp

Filesize
104KB

Download
memory/452-148-0x0000000007100000-0x000000000710A000-memory.dmp

Filesize
40KB

Download
memory/452-149-0x0000000007310000-0x00000000073A6000-memory.dmp

Filesize
600KB

Download
memory/452-133-0x0000000002460000-0x0000000002496000-memory.dmp

Filesize
216KB

Download
memory/452-151-0x00000000072C0000-0x00000000072CE000-memory.dmp

Filesize
56KB

Download
memory/452-152-0x00000000073D0000-0x00000000073EA000-memory.dmp

Filesize
104KB

Download
memory/452-153-0x00000000073B0000-0x00000000073B8000-memory.dmp

Filesize
32KB

Download
memory/3968-142-0x0000000000000000-mapping.dmp

Download
memory/3968-150-0x0000000070910000-0x000000007095C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads