warzonerat | 8eb2f7ab9bab3a18b8e697ade5fa57a70f7200bb442179bb8761b9f2d876345f

General

Target

8eb2f7ab9bab3a18b8e697ade5fa57a70f7200bb442179bb8761b9f2d876345f.exe
Size

177KB
MD5

877f6849ca8eb7a220d7bb64add71f44
SHA1

41550d90774094cc82fce79db394c0bbdaf9c269
SHA256

8eb2f7ab9bab3a18b8e697ade5fa57a70f7200bb442179bb8761b9f2d876345f
SHA512

cc71b1c3fd3fd4ec15a38f4fdb55e99a09964acf740e32b8093fb05ef23454ed4d2daa560db49c23bda1526f267ff292326585f1f06d31aa3bc866d3acbf256c
SSDEEP

3072:2fY/TU9fE9PEtuGbo74DhFVnHNrNRBpAnv++sKXzRHyuOV0AASZv7M5yg7u:gYa6Wo74FnHRBpAn7XzRHyu40AASZ6Ba

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

macrim.duckdns.org:6269

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4516-143-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral2/memory/4516-146-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral2/memory/4516-148-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral2/memory/4516-149-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

izauc.exeizauc.exe

pid process

940 izauc.exe
4516 izauc.exe

pid	process
940	izauc.exe
4516	izauc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

izauc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\njscwgclu = "C:\\Users\\Admin\\AppData\\Roaming\\fxsclh\\qmvfbktpyue.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\izauc.exe\" C:\\Users\\Admin\\AppData\\Local\\T"	izauc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

izauc.exe

description pid process target process

PID 940 set thread context of 4516 940 izauc.exe izauc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

izauc.exe

pid process

940 izauc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

izauc.exe

pid process

4516 izauc.exe

description	pid	process	target process
PID 940 set thread context of 4516	940	izauc.exe	izauc.exe

pid	process
940	izauc.exe

pid	process
4516	izauc.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

8eb2f7ab9bab3a18b8e697ade5fa57a70f7200bb442179bb8761b9f2d876345f.exeizauc.exe

description	pid	process	target process
PID 3236 wrote to memory of 940	3236	8eb2f7ab9bab3a18b8e697ade5fa57a70f7200bb442179bb8761b9f2d876345f.exe	izauc.exe
PID 3236 wrote to memory of 940	3236	8eb2f7ab9bab3a18b8e697ade5fa57a70f7200bb442179bb8761b9f2d876345f.exe	izauc.exe
PID 3236 wrote to memory of 940	3236	8eb2f7ab9bab3a18b8e697ade5fa57a70f7200bb442179bb8761b9f2d876345f.exe	izauc.exe
PID 940 wrote to memory of 4516	940	izauc.exe	izauc.exe
PID 940 wrote to memory of 4516	940	izauc.exe	izauc.exe
PID 940 wrote to memory of 4516	940	izauc.exe	izauc.exe
PID 940 wrote to memory of 4516	940	izauc.exe	izauc.exe

C:\Users\Admin\AppData\Local\Temp\8eb2f7ab9bab3a18b8e697ade5fa57a70f7200bb442179bb8761b9f2d876345f.exe
"C:\Users\Admin\AppData\Local\Temp\8eb2f7ab9bab3a18b8e697ade5fa57a70f7200bb442179bb8761b9f2d876345f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3236

C:\Users\Admin\AppData\Local\Temp\izauc.exe
"C:\Users\Admin\AppData\Local\Temp\izauc.exe" C:\Users\Admin\AppData\Local\Temp\htignl.m
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\AppData\Local\Temp\izauc.exe
"C:\Users\Admin\AppData\Local\Temp\izauc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\htignl.m
Filesize
7KB

MD5
f2b9c73413060e335b609dd176040df5

SHA1
e096feacd831cb56c29b7e0bf876173630e9f2b0

SHA256
7934d4d2a44a2557a8eda2ccc0e036083457b26d2876a786b862e9dbb6198fb8

SHA512
926d62de9203dfe6be5cf265e9fbaaf0c26855a92efcce81f1879762eecc489f8009621adbae543132ad191f159d2edc7a4d536007f92a6da276ffae01e461fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\izauc.exe
Filesize
6KB

MD5
2a61906fbc67c26ba71fb8cf6140104b

SHA1
ab3643a48e1752ec3e5737ff0adb484db6456555

SHA256
35fd84ae72ac37f8c2e792e213a9cb3daf061e9405e708965282314333a5a3f6

SHA512
656eae0355fb70aef9f8399d5fcf9c3ce30dd266b9e0a63dbfd19db87c939a74382b82842991d5957ff911fb715de39c3031f7e492ef79c38c442060ae5a97a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\izauc.exe
Filesize
6KB

MD5
2a61906fbc67c26ba71fb8cf6140104b

SHA1
ab3643a48e1752ec3e5737ff0adb484db6456555

SHA256
35fd84ae72ac37f8c2e792e213a9cb3daf061e9405e708965282314333a5a3f6

SHA512
656eae0355fb70aef9f8399d5fcf9c3ce30dd266b9e0a63dbfd19db87c939a74382b82842991d5957ff911fb715de39c3031f7e492ef79c38c442060ae5a97a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\izauc.exe
Filesize
6KB

MD5
2a61906fbc67c26ba71fb8cf6140104b

SHA1
ab3643a48e1752ec3e5737ff0adb484db6456555

SHA256
35fd84ae72ac37f8c2e792e213a9cb3daf061e9405e708965282314333a5a3f6

SHA512
656eae0355fb70aef9f8399d5fcf9c3ce30dd266b9e0a63dbfd19db87c939a74382b82842991d5957ff911fb715de39c3031f7e492ef79c38c442060ae5a97a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nympwzfdyqo.fp
Filesize
118KB

MD5
b016846f500b9fb6e1770163ec1ebedf

SHA1
ebe46444dad433ae13d99f76cd68fa3b03ad1d74

SHA256
7c88366d42ff2ec708825c88e6108f11d973638d90ab19a3879dbdd160fa8238

SHA512
2a3064bf4da8990928af1f3dc525e85843b247c622e3d35d704a4f4c987e7392fc49c7c9a6e020e16f4f63a12f964eae6f381ca4f86c7a59cba4501d509c8282

Download Submit
memory/4516-143-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4516-146-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4516-148-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4516-149-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads