warzonerat | 3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc

General

Target

3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe
Size

5.8MB
MD5

566f5d973c60961ffdf83d358e789504
SHA1

6e662febcd653e3af71c6d166c295a2a7c63c472
SHA256

3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc
SHA512

87dd7cbbd3ed8d9b79dec4275d60051478122aa21e73de8ffa2db4f1aa9073b7c1e1d9f064fa7f22e829c46348ecaffcf15a0651f67590440287b92619441cd1
SSDEEP

98304:EdBK5I5RUOjTAj6w/wRAH4QiM3BhZzJ/zbo/FZSCwyd5kmsWEhAoCkXK0VCqgAH3:EdBK5I5RUOjTpwUQXBh/g/j+yjkf5CkL

Score

10^/10

warzonerat infostealer persistence rat vmprotect

Malware Config

Extracted

Family

warzonerat

C2

193.109.78.123:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1868-55-0x00000000002D0000-0x0000000000C3D000-memory.dmp	warzonerat
behavioral1/memory/1868-57-0x00000000002D0000-0x0000000000C3D000-memory.dmp	warzonerat
behavioral1/memory/1868-63-0x00000000002D0000-0x0000000000C3D000-memory.dmp	warzonerat
behavioral1/memory/2036-65-0x0000000001080000-0x00000000019ED000-memory.dmp	warzonerat
behavioral1/memory/2036-67-0x0000000001080000-0x00000000019ED000-memory.dmp	warzonerat
behavioral1/memory/2036-70-0x0000000001080000-0x00000000019ED000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

2036 images.exe

pid	process
2036	images.exe

VMProtect packed file 10 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1868-55-0x00000000002D0000-0x0000000000C3D000-memory.dmp	vmprotect
behavioral1/memory/1868-57-0x00000000002D0000-0x0000000000C3D000-memory.dmp	vmprotect
\ProgramData\images.exe	vmprotect
C:\ProgramData\images.exe	vmprotect
\ProgramData\images.exe	vmprotect
behavioral1/memory/1868-63-0x00000000002D0000-0x0000000000C3D000-memory.dmp	vmprotect
C:\ProgramData\images.exe	vmprotect
behavioral1/memory/2036-65-0x0000000001080000-0x00000000019ED000-memory.dmp	vmprotect
behavioral1/memory/2036-67-0x0000000001080000-0x00000000019ED000-memory.dmp	vmprotect
behavioral1/memory/2036-70-0x0000000001080000-0x00000000019ED000-memory.dmp	vmprotect

Loads dropped DLL 2 IoCs

Processes:

3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe

pid	process
1868	3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe
1868	3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Helpeerss = "C:\\ProgramData\\images.exe"	3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exeimages.exe

pid	process
1868	3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe
1868	3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe
2036	images.exe
2036	images.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exeimages.exe

description	pid	process	target process
PID 1868 wrote to memory of 2036	1868	3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe	images.exe
PID 1868 wrote to memory of 2036	1868	3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe	images.exe
PID 1868 wrote to memory of 2036	1868	3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe	images.exe
PID 1868 wrote to memory of 2036	1868	3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe	images.exe
PID 2036 wrote to memory of 1840	2036	images.exe	cmd.exe
PID 2036 wrote to memory of 1840	2036	images.exe	cmd.exe
PID 2036 wrote to memory of 1840	2036	images.exe	cmd.exe
PID 2036 wrote to memory of 1840	2036	images.exe	cmd.exe
PID 2036 wrote to memory of 1840	2036	images.exe	cmd.exe
PID 2036 wrote to memory of 1840	2036	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe
"C:\Users\Admin\AppData\Local\Temp\3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1868

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
Filesize
5.8MB

MD5
566f5d973c60961ffdf83d358e789504

SHA1
6e662febcd653e3af71c6d166c295a2a7c63c472

SHA256
3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc

SHA512
87dd7cbbd3ed8d9b79dec4275d60051478122aa21e73de8ffa2db4f1aa9073b7c1e1d9f064fa7f22e829c46348ecaffcf15a0651f67590440287b92619441cd1

Download Submit
C:\ProgramData\images.exe
Filesize
5.8MB

MD5
566f5d973c60961ffdf83d358e789504

SHA1
6e662febcd653e3af71c6d166c295a2a7c63c472

SHA256
3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc

SHA512
87dd7cbbd3ed8d9b79dec4275d60051478122aa21e73de8ffa2db4f1aa9073b7c1e1d9f064fa7f22e829c46348ecaffcf15a0651f67590440287b92619441cd1

Download Submit
\ProgramData\images.exe
Filesize
5.8MB

MD5
566f5d973c60961ffdf83d358e789504

SHA1
6e662febcd653e3af71c6d166c295a2a7c63c472

SHA256
3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc

SHA512
87dd7cbbd3ed8d9b79dec4275d60051478122aa21e73de8ffa2db4f1aa9073b7c1e1d9f064fa7f22e829c46348ecaffcf15a0651f67590440287b92619441cd1

Download Submit
\ProgramData\images.exe
Filesize
5.8MB

MD5
566f5d973c60961ffdf83d358e789504

SHA1
6e662febcd653e3af71c6d166c295a2a7c63c472

SHA256
3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc

SHA512
87dd7cbbd3ed8d9b79dec4275d60051478122aa21e73de8ffa2db4f1aa9073b7c1e1d9f064fa7f22e829c46348ecaffcf15a0651f67590440287b92619441cd1

Download Submit
memory/1840-68-0x0000000000000000-mapping.dmp

Download
memory/1840-69-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1868-57-0x00000000002D0000-0x0000000000C3D000-memory.dmp

Filesize
9.4MB

Download
memory/1868-54-0x0000000075E01000-0x0000000075E03000-memory.dmp

Filesize
8KB

Download
memory/1868-63-0x00000000002D0000-0x0000000000C3D000-memory.dmp

Filesize
9.4MB

Download
memory/1868-55-0x00000000002D0000-0x0000000000C3D000-memory.dmp

Filesize
9.4MB

Download
memory/2036-60-0x0000000000000000-mapping.dmp

Download
memory/2036-65-0x0000000001080000-0x00000000019ED000-memory.dmp

Filesize
9.4MB

Download
memory/2036-67-0x0000000001080000-0x00000000019ED000-memory.dmp

Filesize
9.4MB

Download
memory/2036-70-0x0000000001080000-0x00000000019ED000-memory.dmp

Filesize
9.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads