warzonerat | 396346640d472168f07c041e8dfb3648050e2d36f16e93416cafc2354f3a857e

General

Target

Scanned008907.exe
Size

1.0MB
MD5

0b5c131ce6f6ba1e86293ac0b16317b1
SHA1

10b03b58dceedfd1c99f04200d9692ef846a8030
SHA256

396346640d472168f07c041e8dfb3648050e2d36f16e93416cafc2354f3a857e
SHA512

729880fd1553e154b0180ef7c19f00092511ae9dac6560a5b53365ca93f6fd78ed2bd1f52968fa5b5325591214a96140948b70525b0b76bbbd9f1bfad32b62cb
SSDEEP

12288:aq+gtQtCm4yiiguuR3uq+CjCk8feoFgAXuRs2AB6T8H3+H+5CA2G:VIT4i0CkO5HXB6gX+H+57B

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

155.94.150.100:6473

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/1120-54-0x0000000002A00000-0x0000000002B5C000-memory.dmp	warzonerat
behavioral1/memory/1120-60-0x0000000002A00000-0x0000000002B5C000-memory.dmp	warzonerat
behavioral1/memory/1120-61-0x0000000002000000-0x0000000002A00000-memory.dmp	warzonerat
behavioral1/memory/1120-71-0x0000000002A00000-0x0000000002B5C000-memory.dmp	warzonerat
behavioral1/memory/1740-72-0x0000000000950000-0x0000000000AAC000-memory.dmp	warzonerat
behavioral1/memory/1740-78-0x0000000000950000-0x0000000000AAC000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

pid	Process
1740	images.exe

Loads dropped DLL 1 IoCs

pid	Process
1120	Scanned008907.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\Documents\\images.exe"	Scanned008907.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
748	powershell.exe
1792	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	748	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 748	1120	Scanned008907.exe	28
PID 1120 wrote to memory of 748	1120	Scanned008907.exe	28
PID 1120 wrote to memory of 748	1120	Scanned008907.exe	28
PID 1120 wrote to memory of 748	1120	Scanned008907.exe	28
PID 1120 wrote to memory of 1740	1120	Scanned008907.exe	30
PID 1120 wrote to memory of 1740	1120	Scanned008907.exe	30
PID 1120 wrote to memory of 1740	1120	Scanned008907.exe	30
PID 1120 wrote to memory of 1740	1120	Scanned008907.exe	30
PID 1740 wrote to memory of 1792	1740	images.exe	32
PID 1740 wrote to memory of 1792	1740	images.exe	32
PID 1740 wrote to memory of 1792	1740	images.exe	32
PID 1740 wrote to memory of 1792	1740	images.exe	32
PID 1740 wrote to memory of 660	1740	images.exe	34
PID 1740 wrote to memory of 660	1740	images.exe	34
PID 1740 wrote to memory of 660	1740	images.exe	34
PID 1740 wrote to memory of 660	1740	images.exe	34
PID 1740 wrote to memory of 660	1740	images.exe	34
PID 1740 wrote to memory of 660	1740	images.exe	34

C:\Users\Admin\AppData\Local\Temp\Scanned008907.exe
"C:\Users\Admin\AppData\Local\Temp\Scanned008907.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath C:\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:748
- C:\Users\Admin\Documents\images.exe
  "C:\Users\Admin\Documents\images.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7QYHWV8HSR13FL51XQMA.temp

Filesize
7KB

MD5
196bae27146f36ed7b61cb56e39f798c

SHA1
062dc58cb68f662c308fb4e631e0d5b06263270c

SHA256
e2991926f4e3ce6a85eb92b58bdacca739eb824469579d92896bb72d46fc7cb0

SHA512
2d149cd792ba5680b6de333d4baedab5df1588c767ddc5e2578a97b726834ee0529547202bb10d5f3cb96ec511804492c2938d160f42f9ba967eef34de793dd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
196bae27146f36ed7b61cb56e39f798c

SHA1
062dc58cb68f662c308fb4e631e0d5b06263270c

SHA256
e2991926f4e3ce6a85eb92b58bdacca739eb824469579d92896bb72d46fc7cb0

SHA512
2d149cd792ba5680b6de333d4baedab5df1588c767ddc5e2578a97b726834ee0529547202bb10d5f3cb96ec511804492c2938d160f42f9ba967eef34de793dd7

Download Submit
C:\Users\Admin\Documents\images.exe

Filesize
1.0MB

MD5
0b5c131ce6f6ba1e86293ac0b16317b1

SHA1
10b03b58dceedfd1c99f04200d9692ef846a8030

SHA256
396346640d472168f07c041e8dfb3648050e2d36f16e93416cafc2354f3a857e

SHA512
729880fd1553e154b0180ef7c19f00092511ae9dac6560a5b53365ca93f6fd78ed2bd1f52968fa5b5325591214a96140948b70525b0b76bbbd9f1bfad32b62cb

Download Submit
C:\Users\Admin\Documents\images.exe

Filesize
1.0MB

MD5
0b5c131ce6f6ba1e86293ac0b16317b1

SHA1
10b03b58dceedfd1c99f04200d9692ef846a8030

SHA256
396346640d472168f07c041e8dfb3648050e2d36f16e93416cafc2354f3a857e

SHA512
729880fd1553e154b0180ef7c19f00092511ae9dac6560a5b53365ca93f6fd78ed2bd1f52968fa5b5325591214a96140948b70525b0b76bbbd9f1bfad32b62cb

Download Submit
\Users\Admin\Documents\images.exe

Filesize
1.0MB

MD5
0b5c131ce6f6ba1e86293ac0b16317b1

SHA1
10b03b58dceedfd1c99f04200d9692ef846a8030

SHA256
396346640d472168f07c041e8dfb3648050e2d36f16e93416cafc2354f3a857e

SHA512
729880fd1553e154b0180ef7c19f00092511ae9dac6560a5b53365ca93f6fd78ed2bd1f52968fa5b5325591214a96140948b70525b0b76bbbd9f1bfad32b62cb

Download Submit
memory/660-87-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/660-86-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/748-65-0x0000000002570000-0x00000000025B0000-memory.dmp

Filesize
256KB

Download
memory/748-64-0x0000000002570000-0x00000000025B0000-memory.dmp

Filesize
256KB

Download
memory/1120-71-0x0000000002A00000-0x0000000002B5C000-memory.dmp

Filesize
1.4MB

Download
memory/1120-54-0x0000000002A00000-0x0000000002B5C000-memory.dmp

Filesize
1.4MB

Download
memory/1120-61-0x0000000002000000-0x0000000002A00000-memory.dmp

Filesize
10.0MB

Download
memory/1120-60-0x0000000002A00000-0x0000000002B5C000-memory.dmp

Filesize
1.4MB

Download
memory/1740-72-0x0000000000950000-0x0000000000AAC000-memory.dmp

Filesize
1.4MB

Download
memory/1740-78-0x0000000000950000-0x0000000000AAC000-memory.dmp

Filesize
1.4MB

Download
memory/1792-85-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing