warzonerat | 69d962a08c69bee560dae12bf7209a36a8a919bef0b65bf8277c823a5c4e1fd8

General

Target

94c7dc9f9d87abdcd8914c66caa72405.exe
Size

258KB
MD5

94c7dc9f9d87abdcd8914c66caa72405
SHA1

f7ca918331bbd0d6bd05c21979b0fa4f2fe1e0fb
SHA256

69d962a08c69bee560dae12bf7209a36a8a919bef0b65bf8277c823a5c4e1fd8
SHA512

d3fb24c05f1e4df7a535919431042ce2309d83d521a69c67a82c15a2504109b3c20d821b4e67eb7f9f5b82e8d928982349519c1e5dfc65e367ea33712ee5f6dc
SSDEEP

3072:EfY/TU9fE9PEtuDbm5jjwHnSEVrvz5r67A3YfmSFkqff4CdhhM76YCoAhwZfBu9a:SYa694fKnSSrr5rkN3bW7dL3u9KARNK

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

bluemoon7.duckdns.org:2023

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/1716-67-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral1/memory/1716-68-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

pid	Process
816	hhvfsnsvxq.exe
1716	hhvfsnsvxq.exe

Loads dropped DLL 3 IoCs

pid	Process
1264	94c7dc9f9d87abdcd8914c66caa72405.exe
1264	94c7dc9f9d87abdcd8914c66caa72405.exe
816	hhvfsnsvxq.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\sfuliiq = "C:\\Users\\Admin\\AppData\\Roaming\\pkvntpxnvhhai\\wtiqrgbaf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hhvfsnsvxq.exe\" C:\\Users\\Admin\\AppDa"	hhvfsnsvxq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 816 set thread context of 1716	816	hhvfsnsvxq.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
816	hhvfsnsvxq.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1716	hhvfsnsvxq.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 816	1264	94c7dc9f9d87abdcd8914c66caa72405.exe	28
PID 1264 wrote to memory of 816	1264	94c7dc9f9d87abdcd8914c66caa72405.exe	28
PID 1264 wrote to memory of 816	1264	94c7dc9f9d87abdcd8914c66caa72405.exe	28
PID 1264 wrote to memory of 816	1264	94c7dc9f9d87abdcd8914c66caa72405.exe	28
PID 816 wrote to memory of 1716	816	hhvfsnsvxq.exe	30
PID 816 wrote to memory of 1716	816	hhvfsnsvxq.exe	30
PID 816 wrote to memory of 1716	816	hhvfsnsvxq.exe	30
PID 816 wrote to memory of 1716	816	hhvfsnsvxq.exe	30
PID 816 wrote to memory of 1716	816	hhvfsnsvxq.exe	30

C:\Users\Admin\AppData\Local\Temp\94c7dc9f9d87abdcd8914c66caa72405.exe
"C:\Users\Admin\AppData\Local\Temp\94c7dc9f9d87abdcd8914c66caa72405.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\hhvfsnsvxq.exe
  "C:\Users\Admin\AppData\Local\Temp\hhvfsnsvxq.exe" C:\Users\Admin\AppData\Local\Temp\mpvateb.l
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Users\Admin\AppData\Local\Temp\hhvfsnsvxq.exe
    "C:\Users\Admin\AppData\Local\Temp\hhvfsnsvxq.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hhvfsnsvxq.exe

Filesize
54KB

MD5
7de0a7edfd4f473aa3fc67630084c4f2

SHA1
7c01a1b7b112fc3a421a2e4193079b4d55052027

SHA256
ab4144ad444c2a4245d9e5923bb2c3a0eba6303ba3f577994d88c6be323db216

SHA512
6e95f4b3d1b59b761319a21c786f4b8d75b6eb2303c58136f58ed3e2fb43e286e8f4544c9d5ed22a57e7091930fb425767e490c69a0a3d03d92c4ffd2b1c0f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhvfsnsvxq.exe

Filesize
54KB

MD5
7de0a7edfd4f473aa3fc67630084c4f2

SHA1
7c01a1b7b112fc3a421a2e4193079b4d55052027

SHA256
ab4144ad444c2a4245d9e5923bb2c3a0eba6303ba3f577994d88c6be323db216

SHA512
6e95f4b3d1b59b761319a21c786f4b8d75b6eb2303c58136f58ed3e2fb43e286e8f4544c9d5ed22a57e7091930fb425767e490c69a0a3d03d92c4ffd2b1c0f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhvfsnsvxq.exe

Filesize
54KB

MD5
7de0a7edfd4f473aa3fc67630084c4f2

SHA1
7c01a1b7b112fc3a421a2e4193079b4d55052027

SHA256
ab4144ad444c2a4245d9e5923bb2c3a0eba6303ba3f577994d88c6be323db216

SHA512
6e95f4b3d1b59b761319a21c786f4b8d75b6eb2303c58136f58ed3e2fb43e286e8f4544c9d5ed22a57e7091930fb425767e490c69a0a3d03d92c4ffd2b1c0f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpvateb.l

Filesize
7KB

MD5
a25ab1d1571ae305052a014bf18fd319

SHA1
f6c38ed17dd6e5d3b92911db93a44914b9cb1293

SHA256
cf9acfd4d91e2e9bf7e8c11c35130db81ce1c23c31094e02f71d8ff60ed514e0

SHA512
290c81258646623c0e973896590a05b93b07583617e5022922415a178822b7d19bc29bd949600f47f300f6037dad28d8acf2aebb9b0eba2f316c59a70916ae99

Download Submit
C:\Users\Admin\AppData\Local\Temp\wxmxh.b

Filesize
118KB

MD5
64ea796f4fd80811e02a94b67f8e3acc

SHA1
d7e9a1ae217df0861af92f831c7f32b0a40252c9

SHA256
868603ad52e807fdcca33b8f086949bc064beeda377ad97b56ea285204dfd881

SHA512
17a1f27ffff50dfcfb5c8ddfa0c838786a3145cef453897d0b799509a2ba3c4043e19015946e2467c4ec3fef19611b086a4f70f234cf3e502ac62de21ce0d7c6

Download Submit
\Users\Admin\AppData\Local\Temp\hhvfsnsvxq.exe

Filesize
54KB

MD5
7de0a7edfd4f473aa3fc67630084c4f2

SHA1
7c01a1b7b112fc3a421a2e4193079b4d55052027

SHA256
ab4144ad444c2a4245d9e5923bb2c3a0eba6303ba3f577994d88c6be323db216

SHA512
6e95f4b3d1b59b761319a21c786f4b8d75b6eb2303c58136f58ed3e2fb43e286e8f4544c9d5ed22a57e7091930fb425767e490c69a0a3d03d92c4ffd2b1c0f6d

Download Submit
\Users\Admin\AppData\Local\Temp\hhvfsnsvxq.exe

Filesize
54KB

MD5
7de0a7edfd4f473aa3fc67630084c4f2

SHA1
7c01a1b7b112fc3a421a2e4193079b4d55052027

SHA256
ab4144ad444c2a4245d9e5923bb2c3a0eba6303ba3f577994d88c6be323db216

SHA512
6e95f4b3d1b59b761319a21c786f4b8d75b6eb2303c58136f58ed3e2fb43e286e8f4544c9d5ed22a57e7091930fb425767e490c69a0a3d03d92c4ffd2b1c0f6d

Download Submit
\Users\Admin\AppData\Local\Temp\hhvfsnsvxq.exe

Filesize
54KB

MD5
7de0a7edfd4f473aa3fc67630084c4f2

SHA1
7c01a1b7b112fc3a421a2e4193079b4d55052027

SHA256
ab4144ad444c2a4245d9e5923bb2c3a0eba6303ba3f577994d88c6be323db216

SHA512
6e95f4b3d1b59b761319a21c786f4b8d75b6eb2303c58136f58ed3e2fb43e286e8f4544c9d5ed22a57e7091930fb425767e490c69a0a3d03d92c4ffd2b1c0f6d

Download Submit
memory/816-57-0x0000000000000000-mapping.dmp

Download
memory/1264-54-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download
memory/1716-64-0x0000000000405738-mapping.dmp

Download
memory/1716-67-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1716-68-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing