warzonerat | 775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e

General

Target

775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe
Size

233KB
MD5

e1f0900fd5e06781b90672ac17d93183
SHA1

d661223516d41c3594be6a4bcea6bcb52e5b227b
SHA256

775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e
SHA512

52cab432d51d42c1a5932366f481f651bd33512da924b3f375723260243739a52fea581b21cb730850af3567dabe66de520b73efb197b766e810c10682422f30
SSDEEP

6144:G0G/OX0qr9tnMZD37F0xiwBP/DGDMDSj:4/6XxoqxTPrGS

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

185.225.75.68:2222

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/1308-3-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral2/memory/1308-5-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral2/memory/1308-8-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat
behavioral2/memory/1308-11-0x0000000000400000-0x000000000055C000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

pid	Process
2036	poh.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2920 set thread context of 1308	2920	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	91

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3088	schtasks.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 1308	2920	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	91
PID 2920 wrote to memory of 1308	2920	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	91
PID 2920 wrote to memory of 1308	2920	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	91
PID 2920 wrote to memory of 1308	2920	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	91
PID 2920 wrote to memory of 1308	2920	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	91
PID 2920 wrote to memory of 1308	2920	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	91
PID 2920 wrote to memory of 1308	2920	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	91
PID 2920 wrote to memory of 1308	2920	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	91
PID 2920 wrote to memory of 1308	2920	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	91
PID 2920 wrote to memory of 1308	2920	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	91
PID 2920 wrote to memory of 1308	2920	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	91
PID 2920 wrote to memory of 2936	2920	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	92
PID 2920 wrote to memory of 2936	2920	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	92
PID 2920 wrote to memory of 2936	2920	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	92
PID 2920 wrote to memory of 4784	2920	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	97
PID 2920 wrote to memory of 4784	2920	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	97
PID 2920 wrote to memory of 4784	2920	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	97
PID 2920 wrote to memory of 2748	2920	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	93
PID 2920 wrote to memory of 2748	2920	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	93
PID 2920 wrote to memory of 2748	2920	775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe	93
PID 4784 wrote to memory of 3088	4784	cmd.exe	98
PID 4784 wrote to memory of 3088	4784	cmd.exe	98
PID 4784 wrote to memory of 3088	4784	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe
"C:\Users\Admin\AppData\Local\Temp\775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1308
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\poh"
  2⤵
  PID:2936
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e.exe" "C:\Users\Admin\AppData\Roaming\poh\poh.exe"
  2⤵
  PID:2748
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\poh\poh.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\poh\poh.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:3088

C:\Users\Admin\AppData\Roaming\poh\poh.exe
C:\Users\Admin\AppData\Roaming\poh\poh.exe
1⤵
- Executes dropped EXE
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\poh\poh.exe

Filesize
233KB

MD5
e1f0900fd5e06781b90672ac17d93183

SHA1
d661223516d41c3594be6a4bcea6bcb52e5b227b

SHA256
775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e

SHA512
52cab432d51d42c1a5932366f481f651bd33512da924b3f375723260243739a52fea581b21cb730850af3567dabe66de520b73efb197b766e810c10682422f30

Download Submit
C:\Users\Admin\AppData\Roaming\poh\poh.exe

Filesize
233KB

MD5
e1f0900fd5e06781b90672ac17d93183

SHA1
d661223516d41c3594be6a4bcea6bcb52e5b227b

SHA256
775385bc6c4d8a59c167514aeb97c80856da11429b0c37db22c808908c4de73e

SHA512
52cab432d51d42c1a5932366f481f651bd33512da924b3f375723260243739a52fea581b21cb730850af3567dabe66de520b73efb197b766e810c10682422f30

Download Submit
memory/1308-3-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1308-5-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1308-8-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1308-11-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2036-14-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/2920-0-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/2920-1-0x0000000000610000-0x0000000000650000-memory.dmp

Filesize
256KB

Download
memory/2920-2-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/2920-7-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads