warzonerat | 775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e

Analysis

max time kernel
145s
max time network
174s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
07-11-2023 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe
Size

233KB
MD5

e1f0900fd5e06781b90672ac17d93183
SHA1

d661223516d41c3594be6a4bcea6bcb52e5b227b
SHA256

775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e
SHA512

52cab432d51d42c1a5932366f481f651bd33512da924b3f375723260243739a52fea581b21cb730850af3567dabe66de520b73efb197b766e810c10682422f30
SSDEEP

6144:G0G/OX0qr9tnMZD37F0xiwBP/DGDMDSj:4/6XxoqxTPrGS

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

185.225.75.68:2222

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 8 IoCs

rat

resource	yara_rule
behavioral1/memory/2784-7-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral1/memory/2784-8-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral1/memory/2784-9-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral1/memory/2784-12-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral1/memory/2784-10-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral1/memory/2784-15-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral1/memory/2784-16-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral1/memory/2784-20-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

pid	Process
2424	poh.exe
2900	poh.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1096 set thread context of 2784	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	28
PID 2424 set thread context of 2120	2424	poh.exe	40
PID 2900 set thread context of 584	2900	poh.exe	50

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2560	2120	WerFault.exe	40

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2588	schtasks.exe
1912	schtasks.exe
2000	schtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 2784	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	28
PID 1096 wrote to memory of 2784	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	28
PID 1096 wrote to memory of 2784	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	28
PID 1096 wrote to memory of 2784	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	28
PID 1096 wrote to memory of 2784	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	28
PID 1096 wrote to memory of 2784	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	28
PID 1096 wrote to memory of 2784	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	28
PID 1096 wrote to memory of 2784	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	28
PID 1096 wrote to memory of 2784	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	28
PID 1096 wrote to memory of 2784	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	28
PID 1096 wrote to memory of 2784	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	28
PID 1096 wrote to memory of 2784	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	28
PID 1096 wrote to memory of 2744	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	29
PID 1096 wrote to memory of 2744	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	29
PID 1096 wrote to memory of 2744	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	29
PID 1096 wrote to memory of 2744	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	29
PID 1096 wrote to memory of 2852	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	32
PID 1096 wrote to memory of 2852	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	32
PID 1096 wrote to memory of 2852	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	32
PID 1096 wrote to memory of 2852	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	32
PID 1096 wrote to memory of 3028	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	35
PID 1096 wrote to memory of 3028	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	35
PID 1096 wrote to memory of 3028	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	35
PID 1096 wrote to memory of 3028	1096	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	35
PID 2852 wrote to memory of 2588	2852	cmd.exe	37
PID 2852 wrote to memory of 2588	2852	cmd.exe	37
PID 2852 wrote to memory of 2588	2852	cmd.exe	37
PID 2852 wrote to memory of 2588	2852	cmd.exe	37
PID 2572 wrote to memory of 2424	2572	taskeng.exe	39
PID 2572 wrote to memory of 2424	2572	taskeng.exe	39
PID 2572 wrote to memory of 2424	2572	taskeng.exe	39
PID 2572 wrote to memory of 2424	2572	taskeng.exe	39
PID 2424 wrote to memory of 2120	2424	poh.exe	40
PID 2424 wrote to memory of 2120	2424	poh.exe	40
PID 2424 wrote to memory of 2120	2424	poh.exe	40
PID 2424 wrote to memory of 2120	2424	poh.exe	40
PID 2424 wrote to memory of 2120	2424	poh.exe	40
PID 2424 wrote to memory of 2120	2424	poh.exe	40
PID 2424 wrote to memory of 2120	2424	poh.exe	40
PID 2424 wrote to memory of 2120	2424	poh.exe	40
PID 2424 wrote to memory of 2120	2424	poh.exe	40
PID 2424 wrote to memory of 2120	2424	poh.exe	40
PID 2424 wrote to memory of 2120	2424	poh.exe	40
PID 2424 wrote to memory of 2120	2424	poh.exe	40
PID 2424 wrote to memory of 2912	2424	poh.exe	41
PID 2424 wrote to memory of 2912	2424	poh.exe	41
PID 2424 wrote to memory of 2912	2424	poh.exe	41
PID 2424 wrote to memory of 2912	2424	poh.exe	41
PID 2424 wrote to memory of 2832	2424	poh.exe	42
PID 2424 wrote to memory of 2832	2424	poh.exe	42
PID 2424 wrote to memory of 2832	2424	poh.exe	42
PID 2424 wrote to memory of 2832	2424	poh.exe	42
PID 2424 wrote to memory of 2020	2424	poh.exe	43
PID 2424 wrote to memory of 2020	2424	poh.exe	43
PID 2424 wrote to memory of 2020	2424	poh.exe	43
PID 2424 wrote to memory of 2020	2424	poh.exe	43
PID 2832 wrote to memory of 1912	2832	cmd.exe	47
PID 2832 wrote to memory of 1912	2832	cmd.exe	47
PID 2832 wrote to memory of 1912	2832	cmd.exe	47
PID 2832 wrote to memory of 1912	2832	cmd.exe	47
PID 2120 wrote to memory of 2560	2120	vbc.exe	48
PID 2120 wrote to memory of 2560	2120	vbc.exe	48
PID 2120 wrote to memory of 2560	2120	vbc.exe	48
PID 2120 wrote to memory of 2560	2120	vbc.exe	48

C:\Users\Admin\AppData\Local\Temp\775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe
"C:\Users\Admin\AppData\Local\Temp\775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2784
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\poh"
  2⤵
  PID:2744
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\poh\poh.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\poh\poh.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe" "C:\Users\Admin\AppData\Roaming\poh\poh.exe"
  2⤵
  PID:3028

C:\Windows\system32\taskeng.exe
taskeng.exe {232EE25E-D45B-44E4-8716-F0AD9A6E1838} S-1-5-21-2084844033-2744876406-2053742436-1000:GGPVHMXR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Users\Admin\AppData\Roaming\poh\poh.exe
  C:\Users\Admin\AppData\Roaming\poh\poh.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 212
      4⤵
      Program crash
      PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\poh"
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\poh\poh.exe'" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\poh\poh.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\poh\poh.exe" "C:\Users\Admin\AppData\Roaming\poh\poh.exe"
    3⤵
    PID:2020
- C:\Users\Admin\AppData\Roaming\poh\poh.exe
  C:\Users\Admin\AppData\Roaming\poh\poh.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2900
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:584
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\poh"
    3⤵
    PID:548
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\poh\poh.exe" "C:\Users\Admin\AppData\Roaming\poh\poh.exe"
    3⤵
    PID:848
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\poh\poh.exe'" /f
    3⤵
    PID:772
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\poh\poh.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\poh\poh.exe

Filesize
233KB

MD5
e1f0900fd5e06781b90672ac17d93183

SHA1
d661223516d41c3594be6a4bcea6bcb52e5b227b

SHA256
775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e

SHA512
52cab432d51d42c1a5932366f481f651bd33512da924b3f375723260243739a52fea581b21cb730850af3567dabe66de520b73efb197b766e810c10682422f30

Download Submit
C:\Users\Admin\AppData\Roaming\poh\poh.exe

Filesize
233KB

MD5
e1f0900fd5e06781b90672ac17d93183

SHA1
d661223516d41c3594be6a4bcea6bcb52e5b227b

SHA256
775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e

SHA512
52cab432d51d42c1a5932366f481f651bd33512da924b3f375723260243739a52fea581b21cb730850af3567dabe66de520b73efb197b766e810c10682422f30

Download Submit
C:\Users\Admin\AppData\Roaming\poh\poh.exe

Filesize
233KB

MD5
e1f0900fd5e06781b90672ac17d93183

SHA1
d661223516d41c3594be6a4bcea6bcb52e5b227b

SHA256
775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e

SHA512
52cab432d51d42c1a5932366f481f651bd33512da924b3f375723260243739a52fea581b21cb730850af3567dabe66de520b73efb197b766e810c10682422f30

Download Submit
memory/1096-14-0x0000000073F70000-0x000000007465E000-memory.dmp

Filesize
6.9MB

Download
memory/1096-1-0x0000000000880000-0x00000000008C0000-memory.dmp

Filesize
256KB

Download
memory/1096-0-0x0000000073F70000-0x000000007465E000-memory.dmp

Filesize
6.9MB

Download
memory/1096-17-0x0000000073F70000-0x000000007465E000-memory.dmp

Filesize
6.9MB

Download
memory/2424-37-0x0000000073C30000-0x000000007431E000-memory.dmp

Filesize
6.9MB

Download
memory/2424-24-0x0000000073C30000-0x000000007431E000-memory.dmp

Filesize
6.9MB

Download
memory/2424-23-0x0000000000CE0000-0x0000000000D20000-memory.dmp

Filesize
256KB

Download
memory/2784-8-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2784-9-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2784-15-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2784-12-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2784-16-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2784-20-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2784-11-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2784-10-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2784-7-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2784-6-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2784-4-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2784-2-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2900-39-0x0000000000CE0000-0x0000000000D20000-memory.dmp

Filesize
256KB

Download
memory/2900-41-0x00000000737D0000-0x0000000073EBE000-memory.dmp

Filesize
6.9MB

Download
memory/2900-55-0x00000000737D0000-0x0000000073EBE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads