warzonerat | 02ef992b9a587c6cdc382995b5dcfff0367554ec581a6fa28d08c70444f9e0d9

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2023, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Reservation.exe
Size

203KB
MD5

c3d2671ab969fd347e6e0b81c777fc48
SHA1

43d9902d2a7b0583be43ef8d4023c81e9a776e52
SHA256

02ef992b9a587c6cdc382995b5dcfff0367554ec581a6fa28d08c70444f9e0d9
SHA512

588524f48b47f32b1d412a43a3f376bcfd717db8d8a74c85bf4823c1af51ccbffbd76579544620587c84e2fea1e7ede4e2d361fb348758d8572ee7345eccfc07
SSDEEP

6144:/Ya66WOW6k4nLUfQzcGg6Zwaidc8J1CQC:/YgWOE4EQIhairI

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

plazzasecretballeronline.onedumb.com:14977

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 5 IoCs

rat

resource	yara_rule
behavioral2/memory/2996-140-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral2/memory/2996-142-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral2/memory/2996-143-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral2/memory/2996-144-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral2/memory/2996-146-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat

Loads dropped DLL 1 IoCs

pid	Process
4076	Reservation.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Acrobats = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe!!\\Acrobat.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Reservation.exe\""	Reservation.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4076 set thread context of 2996	4076	Reservation.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4076	Reservation.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 2996	4076	Reservation.exe	84
PID 4076 wrote to memory of 2996	4076	Reservation.exe	84
PID 4076 wrote to memory of 2996	4076	Reservation.exe	84
PID 4076 wrote to memory of 2996	4076	Reservation.exe	84

C:\Users\Admin\AppData\Local\Temp\Reservation.exe
"C:\Users\Admin\AppData\Local\Temp\Reservation.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Users\Admin\AppData\Local\Temp\Reservation.exe
  "C:\Users\Admin\AppData\Local\Temp\Reservation.exe"
  2⤵
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsyCE10.tmp\jxsmdidxxm.dll

Filesize
35KB

MD5
c9915e219a2d249f9b1f062b6a41530c

SHA1
9d230c9ea12189f5f351d864537108f32e7e7c0d

SHA256
83f19467ccf72ef1f39f298f2f91a512cce6021e8f81bc98a249225640cb29b8

SHA512
0be72a569a30155ec9c8ae389e867834063ca18c28ce529ce5ecce5e6552d536f9ffd3b28e6e3cb99a70c2c0d5548bf6331ec46ff90da1ee3a92c626110551ec

Download Submit
memory/2996-140-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2996-142-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2996-143-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2996-144-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2996-146-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/4076-138-0x0000000003300000-0x0000000003302000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads