warzonerat | a604be01cfee0dd2f3fdb6af8ed840668908d2dd268d2564486b4390d5eab66e

General

Target

a604be01cfee0dd2f3fdb6af8ed840668908d2dd268d2564486b4390d5eab66e.exe
Size

327KB
MD5

e16edffaa9687714e5f9ebb9220f44fd
SHA1

847f729d7d68bcb6746cc82295878b0cabf33388
SHA256

a604be01cfee0dd2f3fdb6af8ed840668908d2dd268d2564486b4390d5eab66e
SHA512

f6f74d4975cbfeab7ed269619795b7f46d818fa2409c6f42bb6d3677e0785612bc900a943ede907396289b899e2a39ed18031049bab9636b6873ed350433ba19
SSDEEP

6144:PBnxm/hZudIIuLpkyzypTJUwdYO+HDIG4jcE:LzdIZpkplVGfHDIHjf

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

baramac.duckdns.org:6269

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4844-139-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

cqlkm.execqlkm.exe

pid process

4928 cqlkm.exe
4844 cqlkm.exe

pid	process
4928	cqlkm.exe
4844	cqlkm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cqlkm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\efrm = "C:\\Users\\Admin\\AppData\\Roaming\\smvvcpumrbjp\\eyhxgrfty.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\cqlkm.exe\" C:\\Users\\Admin\\AppData\\Loc"	cqlkm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cqlkm.exe

description pid process target process

PID 4928 set thread context of 4844 4928 cqlkm.exe cqlkm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

cqlkm.exe

pid process

4928 cqlkm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cqlkm.exe

pid process

4844 cqlkm.exe

description	pid	process	target process
PID 4928 set thread context of 4844	4928	cqlkm.exe	cqlkm.exe

pid	process
4928	cqlkm.exe

pid	process
4844	cqlkm.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

a604be01cfee0dd2f3fdb6af8ed840668908d2dd268d2564486b4390d5eab66e.execqlkm.exe

description	pid	process	target process
PID 5036 wrote to memory of 4928	5036	a604be01cfee0dd2f3fdb6af8ed840668908d2dd268d2564486b4390d5eab66e.exe	cqlkm.exe
PID 5036 wrote to memory of 4928	5036	a604be01cfee0dd2f3fdb6af8ed840668908d2dd268d2564486b4390d5eab66e.exe	cqlkm.exe
PID 5036 wrote to memory of 4928	5036	a604be01cfee0dd2f3fdb6af8ed840668908d2dd268d2564486b4390d5eab66e.exe	cqlkm.exe
PID 4928 wrote to memory of 4844	4928	cqlkm.exe	cqlkm.exe
PID 4928 wrote to memory of 4844	4928	cqlkm.exe	cqlkm.exe
PID 4928 wrote to memory of 4844	4928	cqlkm.exe	cqlkm.exe
PID 4928 wrote to memory of 4844	4928	cqlkm.exe	cqlkm.exe

C:\Users\Admin\AppData\Local\Temp\a604be01cfee0dd2f3fdb6af8ed840668908d2dd268d2564486b4390d5eab66e.exe
"C:\Users\Admin\AppData\Local\Temp\a604be01cfee0dd2f3fdb6af8ed840668908d2dd268d2564486b4390d5eab66e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5036

C:\Users\Admin\AppData\Local\Temp\cqlkm.exe
"C:\Users\Admin\AppData\Local\Temp\cqlkm.exe" C:\Users\Admin\AppData\Local\Temp\lfkexjnrqf.tvq
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4928

C:\Users\Admin\AppData\Local\Temp\cqlkm.exe
"C:\Users\Admin\AppData\Local\Temp\cqlkm.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cqlkm.exe
Filesize
12KB

MD5
ef89ea8ef2c335d2d454b49c6ad68b5d

SHA1
b46980d64871927d92d3c83ffceda4cc0593ac09

SHA256
0854e2fb4d1efae6325720dfe04bf8f71ebbb33fb1038caacdda2612ca9b7573

SHA512
5c9c744f5c770a458bebb5904f8445671b692352b72ed39e3c287fa0e581970c418521d82b6b8846958a994a83ff19eaba6f749f0911d14d100a62f4b78eb737

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqlkm.exe
Filesize
12KB

MD5
ef89ea8ef2c335d2d454b49c6ad68b5d

SHA1
b46980d64871927d92d3c83ffceda4cc0593ac09

SHA256
0854e2fb4d1efae6325720dfe04bf8f71ebbb33fb1038caacdda2612ca9b7573

SHA512
5c9c744f5c770a458bebb5904f8445671b692352b72ed39e3c287fa0e581970c418521d82b6b8846958a994a83ff19eaba6f749f0911d14d100a62f4b78eb737

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqlkm.exe
Filesize
12KB

MD5
ef89ea8ef2c335d2d454b49c6ad68b5d

SHA1
b46980d64871927d92d3c83ffceda4cc0593ac09

SHA256
0854e2fb4d1efae6325720dfe04bf8f71ebbb33fb1038caacdda2612ca9b7573

SHA512
5c9c744f5c770a458bebb5904f8445671b692352b72ed39e3c287fa0e581970c418521d82b6b8846958a994a83ff19eaba6f749f0911d14d100a62f4b78eb737

Download Submit
C:\Users\Admin\AppData\Local\Temp\lfkexjnrqf.tvq
Filesize
7KB

MD5
8ed0eb2b545ae6045dda88e66aaddbf1

SHA1
001e9ab1ef8c1d7973001fd43d10c34dbe5d50d4

SHA256
8ae557931095c1bf17bdd537b60d144f7b5e962bd620c1bc1c2379f3ee3f9edd

SHA512
17052ca191d32fd018f7626768398b749c0479e861577ebeaae26459cc121561d4fca16a10c3be435f46a74d3042a62e1ed3f6078d4ad61ebb852b521d174f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvxvazzyx.ve
Filesize
98KB

MD5
d54eff50aa3ab52ff5e821296479bf81

SHA1
57a9d8e3527d4ad6f75cb3f6e3b20a96052149e5

SHA256
718e6e8861040d2bdf89466958503ab68e86ed9ca296b14031a9fde3a730c64a

SHA512
e3bf982075f6151f7b4a798c10bc4bbb904c00ba790219e148fee25ddef0f8f1460c481ae029528c848c4eb45b7938df4addd30f27beeac2559b972f2628ca0d

Download Submit
memory/4844-137-0x0000000000000000-mapping.dmp

Download
memory/4844-139-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4928-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads