warzonerat | 259fff7281f53b0dcb4ba5b9a1e4323f414e2a43496aff5cb32c1b8b50db773c

General

Target

f6b748b16c33e91dd7cdd128ab0917cd.exe
Size

171KB
MD5

f6b748b16c33e91dd7cdd128ab0917cd
SHA1

6b3762c4507f52dff97ec34bae4a16a5d876ab1a
SHA256

259fff7281f53b0dcb4ba5b9a1e4323f414e2a43496aff5cb32c1b8b50db773c
SHA512

ca04fd9616de8a2253d396e1d70fe2b2c1bd23d98e413bc0f8821f5c75e5b515fb675e62ffb40bf115ae3b06c4c50e36e63ba87818f3c19a781d5753c061f413
SSDEEP

3072:QEhKzShSycSMjk/CFpQUWbNUEp0afqf/T9xjj4fAA0/oPQ3A8JHVZ:QBn1j6CFyUONUEp3Ox5cAf/oPQzN

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

revive147.duckdns.org:6513

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4752-139-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

pzzofr.exepzzofr.exe

pid process

4848 pzzofr.exe
4752 pzzofr.exe

pid	process
4848	pzzofr.exe
4752	pzzofr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pzzofr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myfphwhgbt = "C:\\Users\\Admin\\AppData\\Roaming\\ocor\\afam.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\pzzofr.exe\" C:\\Users\\Admin\\AppData\\Local\\Temp\\wgbr"	pzzofr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

pzzofr.exe

description pid process target process

PID 4848 set thread context of 4752 4848 pzzofr.exe pzzofr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pzzofr.exe

pid process

4848 pzzofr.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

pzzofr.exe

pid process

4752 pzzofr.exe

description	pid	process	target process
PID 4848 set thread context of 4752	4848	pzzofr.exe	pzzofr.exe

pid	process
4848	pzzofr.exe

pid	process
4752	pzzofr.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

f6b748b16c33e91dd7cdd128ab0917cd.exepzzofr.exe

description	pid	process	target process
PID 4800 wrote to memory of 4848	4800	f6b748b16c33e91dd7cdd128ab0917cd.exe	pzzofr.exe
PID 4800 wrote to memory of 4848	4800	f6b748b16c33e91dd7cdd128ab0917cd.exe	pzzofr.exe
PID 4800 wrote to memory of 4848	4800	f6b748b16c33e91dd7cdd128ab0917cd.exe	pzzofr.exe
PID 4848 wrote to memory of 4752	4848	pzzofr.exe	pzzofr.exe
PID 4848 wrote to memory of 4752	4848	pzzofr.exe	pzzofr.exe
PID 4848 wrote to memory of 4752	4848	pzzofr.exe	pzzofr.exe
PID 4848 wrote to memory of 4752	4848	pzzofr.exe	pzzofr.exe

C:\Users\Admin\AppData\Local\Temp\f6b748b16c33e91dd7cdd128ab0917cd.exe
"C:\Users\Admin\AppData\Local\Temp\f6b748b16c33e91dd7cdd128ab0917cd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4800

C:\Users\Admin\AppData\Local\Temp\pzzofr.exe
"C:\Users\Admin\AppData\Local\Temp\pzzofr.exe" C:\Users\Admin\AppData\Local\Temp\wgbry.jr
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Local\Temp\pzzofr.exe
"C:\Users\Admin\AppData\Local\Temp\pzzofr.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ebsavjss.kjw
Filesize
98KB

MD5
027e07ca854e78cece5cfe97887a6107

SHA1
f30db8d9abc6d0ed6052cebab449881e96d86ef6

SHA256
9fa6eb57f060b02ca19d3ef9a151080b65c7511f5cfa513a1c68bfcdabc120c2

SHA512
1bf6ac99ab281cfbdb63849b51ab482f8be9ee78079289461e4c61f70d41e76006db26a4b359f239b4f6e09df1766ce95c2a85864396e302f349adf6aca7aad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzzofr.exe
Filesize
99KB

MD5
86cd3e0be4b6aa64973055f8def9b834

SHA1
8dff1a4ee9ff60d6cc185efad3e3782405e06810

SHA256
b8cfae9d4f4cd8fc37292bafce7ab336065cbb4b7eecda149d05a00fbfee22ce

SHA512
355566ed46b6de149557e513ab579e3e9c17eeb1afc1772f55b94fcb60d194b20dda61a3de13571870c78cbe4cf9942cd70bdb9fcff0d150524a11b35e265e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzzofr.exe
Filesize
99KB

MD5
86cd3e0be4b6aa64973055f8def9b834

SHA1
8dff1a4ee9ff60d6cc185efad3e3782405e06810

SHA256
b8cfae9d4f4cd8fc37292bafce7ab336065cbb4b7eecda149d05a00fbfee22ce

SHA512
355566ed46b6de149557e513ab579e3e9c17eeb1afc1772f55b94fcb60d194b20dda61a3de13571870c78cbe4cf9942cd70bdb9fcff0d150524a11b35e265e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzzofr.exe
Filesize
99KB

MD5
86cd3e0be4b6aa64973055f8def9b834

SHA1
8dff1a4ee9ff60d6cc185efad3e3782405e06810

SHA256
b8cfae9d4f4cd8fc37292bafce7ab336065cbb4b7eecda149d05a00fbfee22ce

SHA512
355566ed46b6de149557e513ab579e3e9c17eeb1afc1772f55b94fcb60d194b20dda61a3de13571870c78cbe4cf9942cd70bdb9fcff0d150524a11b35e265e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgbry.jr
Filesize
7KB

MD5
ce8a6241de4696149788ea19e1f2f5eb

SHA1
1dac7757bdaecaea47eeed9eb5714fab51783c7a

SHA256
61bbbf5c16e5542913285060928635d40cbdf3c6615812d4bc10cb0a8f7d8172

SHA512
05fa2ee7b19ef463bb9e69cb35dc28bdd98106aa67b2afc4bffcf73129335bb26ff7801beb5875c4936dd4ee2003f2438f9d7a2cd6618661f78cc1f976664a51

Download Submit
memory/4752-137-0x0000000000000000-mapping.dmp

Download
memory/4752-139-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4848-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads