warzonerat | 3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc

General

Target

3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe
Size

5.8MB
MD5

566f5d973c60961ffdf83d358e789504
SHA1

6e662febcd653e3af71c6d166c295a2a7c63c472
SHA256

3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc
SHA512

87dd7cbbd3ed8d9b79dec4275d60051478122aa21e73de8ffa2db4f1aa9073b7c1e1d9f064fa7f22e829c46348ecaffcf15a0651f67590440287b92619441cd1
SSDEEP

98304:EdBK5I5RUOjTAj6w/wRAH4QiM3BhZzJ/zbo/FZSCwyd5kmsWEhAoCkXK0VCqgAH3:EdBK5I5RUOjTpwUQXBh/g/j+yjkf5CkL

Score

10^/10

warzonerat infostealer persistence rat vmprotect

Malware Config

Extracted

Family

warzonerat

C2

193.109.78.123:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4364-132-0x0000000000790000-0x00000000010FD000-memory.dmp	warzonerat
behavioral2/memory/4364-134-0x0000000000790000-0x00000000010FD000-memory.dmp	warzonerat
behavioral2/memory/4364-138-0x0000000000790000-0x00000000010FD000-memory.dmp	warzonerat
behavioral2/memory/3112-139-0x0000000000590000-0x0000000000EFD000-memory.dmp	warzonerat
behavioral2/memory/3112-142-0x0000000000590000-0x0000000000EFD000-memory.dmp	warzonerat
behavioral2/memory/3112-144-0x0000000000590000-0x0000000000EFD000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

3112 images.exe

pid	process
3112	images.exe

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/4364-132-0x0000000000790000-0x00000000010FD000-memory.dmp	vmprotect
behavioral2/memory/4364-134-0x0000000000790000-0x00000000010FD000-memory.dmp	vmprotect
C:\ProgramData\images.exe	vmprotect
C:\ProgramData\images.exe	vmprotect
behavioral2/memory/4364-138-0x0000000000790000-0x00000000010FD000-memory.dmp	vmprotect
behavioral2/memory/3112-139-0x0000000000590000-0x0000000000EFD000-memory.dmp	vmprotect
behavioral2/memory/3112-142-0x0000000000590000-0x0000000000EFD000-memory.dmp	vmprotect
behavioral2/memory/3112-144-0x0000000000590000-0x0000000000EFD000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Helpeerss = "C:\\ProgramData\\images.exe"	3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exeimages.exe

pid	process
4364	3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe
4364	3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe
4364	3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe
4364	3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe
3112	images.exe
3112	images.exe
3112	images.exe
3112	images.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exeimages.exe

description	pid	process	target process
PID 4364 wrote to memory of 3112	4364	3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe	images.exe
PID 4364 wrote to memory of 3112	4364	3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe	images.exe
PID 4364 wrote to memory of 3112	4364	3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe	images.exe
PID 3112 wrote to memory of 712	3112	images.exe	cmd.exe
PID 3112 wrote to memory of 712	3112	images.exe	cmd.exe
PID 3112 wrote to memory of 712	3112	images.exe	cmd.exe
PID 3112 wrote to memory of 712	3112	images.exe	cmd.exe
PID 3112 wrote to memory of 712	3112	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe
"C:\Users\Admin\AppData\Local\Temp\3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4364

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
Filesize
5.8MB

MD5
566f5d973c60961ffdf83d358e789504

SHA1
6e662febcd653e3af71c6d166c295a2a7c63c472

SHA256
3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc

SHA512
87dd7cbbd3ed8d9b79dec4275d60051478122aa21e73de8ffa2db4f1aa9073b7c1e1d9f064fa7f22e829c46348ecaffcf15a0651f67590440287b92619441cd1

Download Submit
C:\ProgramData\images.exe
Filesize
5.8MB

MD5
566f5d973c60961ffdf83d358e789504

SHA1
6e662febcd653e3af71c6d166c295a2a7c63c472

SHA256
3bac5dd964575f98f067f2e8ca7e84fc9886911ac930c18ffd2ae3aadd5d54fc

SHA512
87dd7cbbd3ed8d9b79dec4275d60051478122aa21e73de8ffa2db4f1aa9073b7c1e1d9f064fa7f22e829c46348ecaffcf15a0651f67590440287b92619441cd1

Download Submit
memory/712-141-0x0000000000000000-mapping.dmp

Download
memory/712-143-0x0000000001720000-0x0000000001721000-memory.dmp

Filesize
4KB

Download
memory/3112-135-0x0000000000000000-mapping.dmp

Download
memory/3112-139-0x0000000000590000-0x0000000000EFD000-memory.dmp

Filesize
9.4MB

Download
memory/3112-142-0x0000000000590000-0x0000000000EFD000-memory.dmp

Filesize
9.4MB

Download
memory/3112-144-0x0000000000590000-0x0000000000EFD000-memory.dmp

Filesize
9.4MB

Download
memory/4364-132-0x0000000000790000-0x00000000010FD000-memory.dmp

Filesize
9.4MB

Download
memory/4364-134-0x0000000000790000-0x00000000010FD000-memory.dmp

Filesize
9.4MB

Download
memory/4364-138-0x0000000000790000-0x00000000010FD000-memory.dmp

Filesize
9.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads