warzonerat | 56fc109c624733be74c8222cf04b939537455c3c0c41401878d385a49a698314

General

Target

0x000700000001b02f-13.exe
Size

141KB
MD5

8924c729f5b74dce861ebbe8170c1e24
SHA1

996451edb9e8b09a9f126107413c22d071ceb635
SHA256

56fc109c624733be74c8222cf04b939537455c3c0c41401878d385a49a698314
SHA512

242142e1fd729e8bf1e2e396b185e7eefcca8ea94d023698fa4b6b49a5b585d29c9a9e3cee23ac62e1d196493f500f0a999d1c2e95b63dc184b74a77732e5936
SSDEEP

3072:2k4aHUBOO36YplMqBB3ZcPxlG+bBsDHqYzHKG0qIwj:2dx3wqz3ZcDeDKYzqG01wj

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

fgudhiiugiufgifufgihdhuidfxgd.duckdns.org:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/files/0x0009000000014bf2-9.dat	warzonerat
behavioral1/files/0x0009000000014bf2-15.dat	warzonerat
behavioral1/files/0x0009000000014bf2-14.dat	warzonerat
behavioral1/files/0x0009000000014bf2-11.dat	warzonerat
behavioral1/files/0x0009000000014bf2-16.dat	warzonerat
behavioral1/memory/2712-23-0x00000000026E0000-0x0000000002720000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

pid	Process
2708	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1008	0x000700000001b02f-13.exe
1008	0x000700000001b02f-13.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\Documents\\svchost.exe"	0x000700000001b02f-13.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2752	powershell.exe
2712	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 2752	1008	0x000700000001b02f-13.exe	28
PID 1008 wrote to memory of 2752	1008	0x000700000001b02f-13.exe	28
PID 1008 wrote to memory of 2752	1008	0x000700000001b02f-13.exe	28
PID 1008 wrote to memory of 2752	1008	0x000700000001b02f-13.exe	28
PID 1008 wrote to memory of 2708	1008	0x000700000001b02f-13.exe	30
PID 1008 wrote to memory of 2708	1008	0x000700000001b02f-13.exe	30
PID 1008 wrote to memory of 2708	1008	0x000700000001b02f-13.exe	30
PID 1008 wrote to memory of 2708	1008	0x000700000001b02f-13.exe	30
PID 2708 wrote to memory of 2712	2708	svchost.exe	31
PID 2708 wrote to memory of 2712	2708	svchost.exe	31
PID 2708 wrote to memory of 2712	2708	svchost.exe	31
PID 2708 wrote to memory of 2712	2708	svchost.exe	31
PID 2708 wrote to memory of 2488	2708	svchost.exe	33
PID 2708 wrote to memory of 2488	2708	svchost.exe	33
PID 2708 wrote to memory of 2488	2708	svchost.exe	33
PID 2708 wrote to memory of 2488	2708	svchost.exe	33
PID 2708 wrote to memory of 2488	2708	svchost.exe	33
PID 2708 wrote to memory of 2488	2708	svchost.exe	33

C:\Users\Admin\AppData\Local\Temp\0x000700000001b02f-13.exe
"C:\Users\Admin\AppData\Local\Temp\0x000700000001b02f-13.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath C:\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Users\Admin\Documents\svchost.exe
  "C:\Users\Admin\Documents\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K7D5311L33NZWTGDE9XP.temp

Filesize
7KB

MD5
c65f6a89368241da4ba34686f9d7a657

SHA1
699076d087277fff1a621d056744d8b6cd12c3d4

SHA256
e87cff77f025975b059a23b9d0e23aa39399093520af5855756bb2625e2d98d1

SHA512
43ca7174dfc4cc64ae1af4409c6a416d42bbe57dd3fe5c6d50277e707f4ec3014fc9903ab13862cbf99ba7c88417e32c88a70ca04c3cd5e67130ee9801971b27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c65f6a89368241da4ba34686f9d7a657

SHA1
699076d087277fff1a621d056744d8b6cd12c3d4

SHA256
e87cff77f025975b059a23b9d0e23aa39399093520af5855756bb2625e2d98d1

SHA512
43ca7174dfc4cc64ae1af4409c6a416d42bbe57dd3fe5c6d50277e707f4ec3014fc9903ab13862cbf99ba7c88417e32c88a70ca04c3cd5e67130ee9801971b27

Download Submit
C:\Users\Admin\Documents\svchost.exe

Filesize
141KB

MD5
8924c729f5b74dce861ebbe8170c1e24

SHA1
996451edb9e8b09a9f126107413c22d071ceb635

SHA256
56fc109c624733be74c8222cf04b939537455c3c0c41401878d385a49a698314

SHA512
242142e1fd729e8bf1e2e396b185e7eefcca8ea94d023698fa4b6b49a5b585d29c9a9e3cee23ac62e1d196493f500f0a999d1c2e95b63dc184b74a77732e5936

Download Submit
C:\Users\Admin\Documents\svchost.exe

Filesize
141KB

MD5
8924c729f5b74dce861ebbe8170c1e24

SHA1
996451edb9e8b09a9f126107413c22d071ceb635

SHA256
56fc109c624733be74c8222cf04b939537455c3c0c41401878d385a49a698314

SHA512
242142e1fd729e8bf1e2e396b185e7eefcca8ea94d023698fa4b6b49a5b585d29c9a9e3cee23ac62e1d196493f500f0a999d1c2e95b63dc184b74a77732e5936

Download Submit
C:\Users\Admin\Documents\svchost.exe

Filesize
141KB

MD5
8924c729f5b74dce861ebbe8170c1e24

SHA1
996451edb9e8b09a9f126107413c22d071ceb635

SHA256
56fc109c624733be74c8222cf04b939537455c3c0c41401878d385a49a698314

SHA512
242142e1fd729e8bf1e2e396b185e7eefcca8ea94d023698fa4b6b49a5b585d29c9a9e3cee23ac62e1d196493f500f0a999d1c2e95b63dc184b74a77732e5936

Download Submit
\Users\Admin\Documents\svchost.exe

Filesize
141KB

MD5
8924c729f5b74dce861ebbe8170c1e24

SHA1
996451edb9e8b09a9f126107413c22d071ceb635

SHA256
56fc109c624733be74c8222cf04b939537455c3c0c41401878d385a49a698314

SHA512
242142e1fd729e8bf1e2e396b185e7eefcca8ea94d023698fa4b6b49a5b585d29c9a9e3cee23ac62e1d196493f500f0a999d1c2e95b63dc184b74a77732e5936

Download Submit
\Users\Admin\Documents\svchost.exe

Filesize
141KB

MD5
8924c729f5b74dce861ebbe8170c1e24

SHA1
996451edb9e8b09a9f126107413c22d071ceb635

SHA256
56fc109c624733be74c8222cf04b939537455c3c0c41401878d385a49a698314

SHA512
242142e1fd729e8bf1e2e396b185e7eefcca8ea94d023698fa4b6b49a5b585d29c9a9e3cee23ac62e1d196493f500f0a999d1c2e95b63dc184b74a77732e5936

Download Submit
memory/2488-30-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2488-28-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2712-24-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/2712-22-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/2712-23-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/2712-25-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/2712-26-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/2712-27-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/2752-7-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download
memory/2752-6-0x0000000001BD0000-0x0000000001C10000-memory.dmp

Filesize
256KB

Download
memory/2752-5-0x0000000001BD0000-0x0000000001C10000-memory.dmp

Filesize
256KB

Download
memory/2752-2-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download
memory/2752-4-0x0000000001BD0000-0x0000000001C10000-memory.dmp

Filesize
256KB

Download
memory/2752-3-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads