warzonerat | 3a762352395e0d9f1910cadb10d4e227edae9ca44807455305a0ad5bc122dacf

General

Target

3a762352395e0d9f1910cadb10d4e227edae9ca44807455305a0ad5bc122dacf.exe
Size

289KB
MD5

233263c102c58bf5254047996a490096
SHA1

a6b0bcd4f86dc989a11947e9e9427ee84f253f85
SHA256

3a762352395e0d9f1910cadb10d4e227edae9ca44807455305a0ad5bc122dacf
SHA512

8c05a2140082fd5256bb76d3fc9d6023ede89032241e82bb4ed51b693b3bdc5ff633557e10c7b62c491158439e43311886d292db0e19bafd4c236c949a3d38f2
SSDEEP

6144:HBnbWzrYM0XopgVJP0+K6Yp+0mC5B8zIeXznQsUfc/1l:xWz8BJxmYm8zIgnnUfc/z

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

rajsavindia.hopto.org:5067

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1540-66-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

zojblijz.exezojblijz.exe

pid process

840 zojblijz.exe
1540 zojblijz.exe
Loads dropped DLL 2 IoCs

Processes:

3a762352395e0d9f1910cadb10d4e227edae9ca44807455305a0ad5bc122dacf.exezojblijz.exe

pid process

852 3a762352395e0d9f1910cadb10d4e227edae9ca44807455305a0ad5bc122dacf.exe
840 zojblijz.exe

pid	process
840	zojblijz.exe
1540	zojblijz.exe

pid	process
852	3a762352395e0d9f1910cadb10d4e227edae9ca44807455305a0ad5bc122dacf.exe
840	zojblijz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zojblijz.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\kivt = "C:\\Users\\Admin\\AppData\\Roaming\\gmgsmm\\jrwjtsnjanmuf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\zojblijz.exe\" C:\\Users\\Admin\\AppData\\Lo"	zojblijz.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

zojblijz.exe

description pid process target process

PID 840 set thread context of 1540 840 zojblijz.exe zojblijz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

zojblijz.exe

pid process

840 zojblijz.exe

description	pid	process	target process
PID 840 set thread context of 1540	840	zojblijz.exe	zojblijz.exe

pid	process
840	zojblijz.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3a762352395e0d9f1910cadb10d4e227edae9ca44807455305a0ad5bc122dacf.exezojblijz.exe

description	pid	process	target process
PID 852 wrote to memory of 840	852	3a762352395e0d9f1910cadb10d4e227edae9ca44807455305a0ad5bc122dacf.exe	zojblijz.exe
PID 852 wrote to memory of 840	852	3a762352395e0d9f1910cadb10d4e227edae9ca44807455305a0ad5bc122dacf.exe	zojblijz.exe
PID 852 wrote to memory of 840	852	3a762352395e0d9f1910cadb10d4e227edae9ca44807455305a0ad5bc122dacf.exe	zojblijz.exe
PID 852 wrote to memory of 840	852	3a762352395e0d9f1910cadb10d4e227edae9ca44807455305a0ad5bc122dacf.exe	zojblijz.exe
PID 840 wrote to memory of 1540	840	zojblijz.exe	zojblijz.exe
PID 840 wrote to memory of 1540	840	zojblijz.exe	zojblijz.exe
PID 840 wrote to memory of 1540	840	zojblijz.exe	zojblijz.exe
PID 840 wrote to memory of 1540	840	zojblijz.exe	zojblijz.exe
PID 840 wrote to memory of 1540	840	zojblijz.exe	zojblijz.exe

C:\Users\Admin\AppData\Local\Temp\3a762352395e0d9f1910cadb10d4e227edae9ca44807455305a0ad5bc122dacf.exe
"C:\Users\Admin\AppData\Local\Temp\3a762352395e0d9f1910cadb10d4e227edae9ca44807455305a0ad5bc122dacf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852

C:\Users\Admin\AppData\Local\Temp\zojblijz.exe
"C:\Users\Admin\AppData\Local\Temp\zojblijz.exe" C:\Users\Admin\AppData\Local\Temp\skzhjstor.yn
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Local\Temp\zojblijz.exe
"C:\Users\Admin\AppData\Local\Temp\zojblijz.exe" C:\Users\Admin\AppData\Local\Temp\skzhjstor.yn
3⤵
- Executes dropped EXE
PID:1540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dkgqssqx.b
Filesize
113KB

MD5
bf556abc2e73a7f0cd5f673892d9d334

SHA1
1cbed97d14f21c494f779fd107acc5231e653468

SHA256
15ba114d3d4744696aeb4645012846c94459ba720da19670737d1432ac516b2f

SHA512
c354a0e50199683efaa6be4e3f7046bd404c9955c3a7a48ad0483df622d18c34ca5307c3d67777ea23653cec1ad9fdefb3ed242c10ff944c34baf7444d62528d

Download Submit
C:\Users\Admin\AppData\Local\Temp\skzhjstor.yn
Filesize
7KB

MD5
899273aa03dc0367c64270d9bb78b9a6

SHA1
544bd3ec3edc1e4d5c285ade6a65740bb89bcece

SHA256
ac3bff4a8254bb85e44933240e0112ce95b2ff9593ce85cf6e2119ed277a76e2

SHA512
9123c701d429d175d36362b6daac012983423a3be36d585a89c934897d4f58919ff1050221f64bec9451bbc878354990db2e30ec6e875311638401e1f4f9dc3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zojblijz.exe
Filesize
332KB

MD5
8b3ea3263d110a7fcde4112c1cf1f9d2

SHA1
6917eb58e1881f1ee1819b4e58bbb7bfb9c756bc

SHA256
1e5dd2c6b6e9b57714c603db846bf1e8f24f5761bcbabc2a7ce4fa5ad680197b

SHA512
74ad35b39b0c4b2d33f037e30c68629404d5aecb0f91cf45b7783ae119714a1ce4d44d2167f07c808fa18584cfc03026da5df46a63ac52099de1572024d23340

Download Submit
C:\Users\Admin\AppData\Local\Temp\zojblijz.exe
Filesize
332KB

MD5
8b3ea3263d110a7fcde4112c1cf1f9d2

SHA1
6917eb58e1881f1ee1819b4e58bbb7bfb9c756bc

SHA256
1e5dd2c6b6e9b57714c603db846bf1e8f24f5761bcbabc2a7ce4fa5ad680197b

SHA512
74ad35b39b0c4b2d33f037e30c68629404d5aecb0f91cf45b7783ae119714a1ce4d44d2167f07c808fa18584cfc03026da5df46a63ac52099de1572024d23340

Download Submit
C:\Users\Admin\AppData\Local\Temp\zojblijz.exe
Filesize
332KB

MD5
8b3ea3263d110a7fcde4112c1cf1f9d2

SHA1
6917eb58e1881f1ee1819b4e58bbb7bfb9c756bc

SHA256
1e5dd2c6b6e9b57714c603db846bf1e8f24f5761bcbabc2a7ce4fa5ad680197b

SHA512
74ad35b39b0c4b2d33f037e30c68629404d5aecb0f91cf45b7783ae119714a1ce4d44d2167f07c808fa18584cfc03026da5df46a63ac52099de1572024d23340

Download Submit
\Users\Admin\AppData\Local\Temp\zojblijz.exe
Filesize
332KB

MD5
8b3ea3263d110a7fcde4112c1cf1f9d2

SHA1
6917eb58e1881f1ee1819b4e58bbb7bfb9c756bc

SHA256
1e5dd2c6b6e9b57714c603db846bf1e8f24f5761bcbabc2a7ce4fa5ad680197b

SHA512
74ad35b39b0c4b2d33f037e30c68629404d5aecb0f91cf45b7783ae119714a1ce4d44d2167f07c808fa18584cfc03026da5df46a63ac52099de1572024d23340

Download Submit
\Users\Admin\AppData\Local\Temp\zojblijz.exe
Filesize
332KB

MD5
8b3ea3263d110a7fcde4112c1cf1f9d2

SHA1
6917eb58e1881f1ee1819b4e58bbb7bfb9c756bc

SHA256
1e5dd2c6b6e9b57714c603db846bf1e8f24f5761bcbabc2a7ce4fa5ad680197b

SHA512
74ad35b39b0c4b2d33f037e30c68629404d5aecb0f91cf45b7783ae119714a1ce4d44d2167f07c808fa18584cfc03026da5df46a63ac52099de1572024d23340

Download Submit
memory/840-56-0x0000000000000000-mapping.dmp

Download
memory/852-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1540-63-0x0000000000405CE2-mapping.dmp

Download
memory/1540-66-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads