warzonerat | d3ff54b73d0987b740b8c94d6c7d67c3dccc9983f126c574d4184b1788aeaf19

Analysis

max time kernel
91s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
07/02/2023, 06:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d3ff54b73d0987b740b8c94d6c7d67c3dccc9983f126c574d4184b1788aeaf19.exe
Size

603KB
MD5

a66bff7ab5c211436c320ada78f5b0f8
SHA1

23f2591c836378fae58685600e3ef1a5168494d7
SHA256

d3ff54b73d0987b740b8c94d6c7d67c3dccc9983f126c574d4184b1788aeaf19
SHA512

b657fd19f7b8eb605963861d0caf75c9511f6944a0f051d9433b1a193a6be98d90938df7498d5e9478f30717efa5b211ad984002731f1cfdacbaf8427a8a7e11
SSDEEP

12288:+uhKohUOrOsekKxqTrsrnrn8b8Mw8b8sw8b8Mw8b8sw8Bamhna878baP:FhKBsePcnJ

Score

10^/10

warzonerat infostealer persistence rat upx

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4804-132-0x00000000009E0000-0x0000000000CC4000-memory.dmp	upx
behavioral2/memory/4804-133-0x00000000009E0000-0x0000000000CC4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d3ff54b73d0987b740b8c94d6c7d67c3dccc9983f126c574d4184b1788aeaf19.exe"	d3ff54b73d0987b740b8c94d6c7d67c3dccc9983f126c574d4184b1788aeaf19.exe

C:\Users\Admin\AppData\Local\Temp\d3ff54b73d0987b740b8c94d6c7d67c3dccc9983f126c574d4184b1788aeaf19.exe
"C:\Users\Admin\AppData\Local\Temp\d3ff54b73d0987b740b8c94d6c7d67c3dccc9983f126c574d4184b1788aeaf19.exe"
1⤵
- Adds Run key to start application
PID:4804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4804-132-0x00000000009E0000-0x0000000000CC4000-memory.dmp

Filesize
2.9MB

Download
memory/4804-133-0x00000000009E0000-0x0000000000CC4000-memory.dmp

Filesize
2.9MB

Download
memory/4804-134-0x00000000033C0000-0x000000000351C000-memory.dmp

Filesize
1.4MB

Download
memory/4804-140-0x00000000029C0000-0x00000000033C0000-memory.dmp

Filesize
10.0MB

Download