warzonerat | dc450bf333dd5533e9f3a919a5412529ba0477e6eee69caf23c9c881814a5bb6

General

Target

NetGearRuntime.exe
Size

734KB
MD5

a5eb17cc2f951064c1a36209f68ed21f
SHA1

c26d3ad77076b2f73861537a213ec932f7497e49
SHA256

dc450bf333dd5533e9f3a919a5412529ba0477e6eee69caf23c9c881814a5bb6
SHA512

2b6cb09f3b41be9435f33f1d2c5af9357c86f5608111c293ac8173c240c0807f0e7394e092c75ab106cece47c45c3443a061e8b4d2494606948da91b78ea164f
SSDEEP

12288:oaJtu9nYr3WraEZO8Sel4V3FvGMDAzBVafwwT9aZ9rS0uh2cGC:oaeImrNZO8Sels3FvT6afBctuh2jC

Score

10^/10

warzonerat infostealer rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1708 set thread context of 2032	1708	NetGearRuntime.exe	30

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	NetGearRuntime.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	NetGearRuntime.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1708	NetGearRuntime.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2032	1708	NetGearRuntime.exe	30
PID 1708 wrote to memory of 2032	1708	NetGearRuntime.exe	30
PID 1708 wrote to memory of 2032	1708	NetGearRuntime.exe	30
PID 1708 wrote to memory of 2032	1708	NetGearRuntime.exe	30
PID 1708 wrote to memory of 2032	1708	NetGearRuntime.exe	30
PID 1708 wrote to memory of 2032	1708	NetGearRuntime.exe	30
PID 1708 wrote to memory of 2032	1708	NetGearRuntime.exe	30
PID 1708 wrote to memory of 2032	1708	NetGearRuntime.exe	30
PID 1708 wrote to memory of 2032	1708	NetGearRuntime.exe	30
PID 1708 wrote to memory of 2032	1708	NetGearRuntime.exe	30
PID 1708 wrote to memory of 2032	1708	NetGearRuntime.exe	30

C:\Users\Admin\AppData\Local\Temp\NetGearRuntime.exe
"C:\Users\Admin\AppData\Local\Temp\NetGearRuntime.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\NetGearRuntime.exe
  "C:\Users\Admin\AppData\Local\Temp\NetGearRuntime.exe"
  2⤵
  PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1708-56-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/2032-57-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/2032-61-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/2032-62-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing