warzonerat | 3707533042d67a657b987ec153e0b5711f0c4d06377ee5143759483698bc7f48

General

Target

3707533042d67a657b987ec153e0b5711f0c4d06377ee5143759483698bc7f48.exe
Size

347KB
MD5

6919d85bb10aad2b3078283f8b9108f0
SHA1

3a11e7ff6bf51467f197dec068b6abeb2570eb68
SHA256

3707533042d67a657b987ec153e0b5711f0c4d06377ee5143759483698bc7f48
SHA512

8dedcd2a3a684fd5e1078d6b1404479267a0b5fa5a851c5a3de65a02ccdbeef2aa2587fc69172791e125a15be4c8383a622f50abc50a45488ef1aa0ef9bcbead
SSDEEP

3072:HEhKzShSycb2OYLwt1LX9kC+Nl6FJT/AaUkMqpN08UKgCj6KJ4w6QonNIZ3cyV/L:HBnAU1X9Tel6FV4aURqpq1CjA/NY3fL

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

baramac.duckdns.org:6269

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3468-139-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

bfctcfvlam.exebfctcfvlam.exe

pid process

2960 bfctcfvlam.exe
3468 bfctcfvlam.exe

pid	process
2960	bfctcfvlam.exe
3468	bfctcfvlam.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bfctcfvlam.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\byopasxjub = "C:\\Users\\Admin\\AppData\\Roaming\\gxnomttw\\clfngtotjcn.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\bfctcfvlam.exe\" C:\\Users\\Admin\\AppData\\"	bfctcfvlam.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

bfctcfvlam.exe

description pid process target process

PID 2960 set thread context of 3468 2960 bfctcfvlam.exe bfctcfvlam.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

bfctcfvlam.exe

pid process

2960 bfctcfvlam.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

bfctcfvlam.exe

pid process

3468 bfctcfvlam.exe

description	pid	process	target process
PID 2960 set thread context of 3468	2960	bfctcfvlam.exe	bfctcfvlam.exe

pid	process
2960	bfctcfvlam.exe

pid	process
3468	bfctcfvlam.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

3707533042d67a657b987ec153e0b5711f0c4d06377ee5143759483698bc7f48.exebfctcfvlam.exe

description	pid	process	target process
PID 4216 wrote to memory of 2960	4216	3707533042d67a657b987ec153e0b5711f0c4d06377ee5143759483698bc7f48.exe	bfctcfvlam.exe
PID 4216 wrote to memory of 2960	4216	3707533042d67a657b987ec153e0b5711f0c4d06377ee5143759483698bc7f48.exe	bfctcfvlam.exe
PID 4216 wrote to memory of 2960	4216	3707533042d67a657b987ec153e0b5711f0c4d06377ee5143759483698bc7f48.exe	bfctcfvlam.exe
PID 2960 wrote to memory of 3468	2960	bfctcfvlam.exe	bfctcfvlam.exe
PID 2960 wrote to memory of 3468	2960	bfctcfvlam.exe	bfctcfvlam.exe
PID 2960 wrote to memory of 3468	2960	bfctcfvlam.exe	bfctcfvlam.exe
PID 2960 wrote to memory of 3468	2960	bfctcfvlam.exe	bfctcfvlam.exe

C:\Users\Admin\AppData\Local\Temp\3707533042d67a657b987ec153e0b5711f0c4d06377ee5143759483698bc7f48.exe
"C:\Users\Admin\AppData\Local\Temp\3707533042d67a657b987ec153e0b5711f0c4d06377ee5143759483698bc7f48.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4216

C:\Users\Admin\AppData\Local\Temp\bfctcfvlam.exe
"C:\Users\Admin\AppData\Local\Temp\bfctcfvlam.exe" C:\Users\Admin\AppData\Local\Temp\vezrmelyb.d
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2960

C:\Users\Admin\AppData\Local\Temp\bfctcfvlam.exe
"C:\Users\Admin\AppData\Local\Temp\bfctcfvlam.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bfctcfvlam.exe
Filesize
12KB

MD5
55f6c059b1b9b8937a03a0409218cbf6

SHA1
b1d59ab9d2d32c35cccd35bc485b4fe3cfc9dcd4

SHA256
3f14b8be08aa1c0f3e6c2c7c58a6c1cbff39647cbb3d430ace8c411d43330476

SHA512
5b33cebbd8e45ea26cddb39b1e80f5fd3718dbf1a89e2c8cb740a32b369d848bcd11be0fdb21e5d9392ccb7ce70fe595d6bd72b4d6ccd394bbfaa0acc124eda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfctcfvlam.exe
Filesize
12KB

MD5
55f6c059b1b9b8937a03a0409218cbf6

SHA1
b1d59ab9d2d32c35cccd35bc485b4fe3cfc9dcd4

SHA256
3f14b8be08aa1c0f3e6c2c7c58a6c1cbff39647cbb3d430ace8c411d43330476

SHA512
5b33cebbd8e45ea26cddb39b1e80f5fd3718dbf1a89e2c8cb740a32b369d848bcd11be0fdb21e5d9392ccb7ce70fe595d6bd72b4d6ccd394bbfaa0acc124eda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfctcfvlam.exe
Filesize
12KB

MD5
55f6c059b1b9b8937a03a0409218cbf6

SHA1
b1d59ab9d2d32c35cccd35bc485b4fe3cfc9dcd4

SHA256
3f14b8be08aa1c0f3e6c2c7c58a6c1cbff39647cbb3d430ace8c411d43330476

SHA512
5b33cebbd8e45ea26cddb39b1e80f5fd3718dbf1a89e2c8cb740a32b369d848bcd11be0fdb21e5d9392ccb7ce70fe595d6bd72b4d6ccd394bbfaa0acc124eda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ickztvancv.lez
Filesize
98KB

MD5
16bad3cabe4186c24eaaf1100f795150

SHA1
a140ecb2c690ffc44077c2017d819657e75f6818

SHA256
86860100715a1aea106bb16d7e855b4652eba52b6f28ebe57e3a929f8e2f5d9a

SHA512
1fb27338d4f47dfde7e0752fad4d24e6fe60d8fb56c35f8be55c94a786872f817330b36385f0c98c9b46572d57c423bd22cfd2d7a530fcef568e1a2df838f04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vezrmelyb.d
Filesize
7KB

MD5
5a9896aeebe978e68d2acbec19c4075b

SHA1
3edd7aa395c7874f96ff9ceabf67e8d170c55041

SHA256
c135d60595d1c7d25cb9f4eb899aec4d05ce7f1c149b16b2def80346b69324df

SHA512
c847991d0c83a254ebae5a48947ed44f173c86f133945a7b9a669f965cab0c3c3243246d6a19bf4d26e8e8da3b89d422bdc34c74eea9ba627383b1d0010b7e73

Download Submit
memory/2960-132-0x0000000000000000-mapping.dmp

Download
memory/3468-137-0x0000000000000000-mapping.dmp

Download
memory/3468-139-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads