warzonerat | ec6d01f6c374e83112445655eb88af26a9ec92ff701673c7c42ff5735777a3d2

General

Target

bf0baeedce73785238ace59df3906e68.exe
Size

1.8MB
MD5

bf0baeedce73785238ace59df3906e68
SHA1

a7e1a1611189c200c86ef6fcf174beafe2b783bc
SHA256

ec6d01f6c374e83112445655eb88af26a9ec92ff701673c7c42ff5735777a3d2
SHA512

6e711e45b33c9ebe17e0ed6afad8eaf9db530e64313c17d91dc0457fbda44de3ef8603203ddfe2cece4109d00cbd65e3233ec77c8387ca024fabf9cb4e3e854a
SSDEEP

49152:vhtORUwc166NlRq7vLSUtwtkwvbF6CWroWFeZkP9aiK+d:vhtORUB166NHq7vLZcpDF6CWBFeZkP9t

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

C2

sept5th.ddns.net:2022

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/3040-1-0x00000000003C0000-0x00000000003DD000-memory.dmp	warzonerat
behavioral1/memory/3040-2-0x0000000001E10000-0x0000000001F64000-memory.dmp	warzonerat
behavioral1/memory/3040-10-0x0000000001E10000-0x0000000001F64000-memory.dmp	warzonerat
behavioral1/memory/1608-16-0x0000000001E40000-0x0000000001F94000-memory.dmp	warzonerat
behavioral1/memory/1608-33-0x0000000001E40000-0x0000000001F94000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

pid	Process
1608	dgs.exe

Loads dropped DLL 1 IoCs

pid	Process
3040	bf0baeedce73785238ace59df3906e68.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\dgs.exe"	bf0baeedce73785238ace59df3906e68.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2308	powershell.exe
2076	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2076	3040	bf0baeedce73785238ace59df3906e68.exe	28
PID 3040 wrote to memory of 2076	3040	bf0baeedce73785238ace59df3906e68.exe	28
PID 3040 wrote to memory of 2076	3040	bf0baeedce73785238ace59df3906e68.exe	28
PID 3040 wrote to memory of 2076	3040	bf0baeedce73785238ace59df3906e68.exe	28
PID 3040 wrote to memory of 1608	3040	bf0baeedce73785238ace59df3906e68.exe	30
PID 3040 wrote to memory of 1608	3040	bf0baeedce73785238ace59df3906e68.exe	30
PID 3040 wrote to memory of 1608	3040	bf0baeedce73785238ace59df3906e68.exe	30
PID 3040 wrote to memory of 1608	3040	bf0baeedce73785238ace59df3906e68.exe	30
PID 1608 wrote to memory of 2308	1608	dgs.exe	31
PID 1608 wrote to memory of 2308	1608	dgs.exe	31
PID 1608 wrote to memory of 2308	1608	dgs.exe	31
PID 1608 wrote to memory of 2308	1608	dgs.exe	31
PID 1608 wrote to memory of 3004	1608	dgs.exe	32
PID 1608 wrote to memory of 3004	1608	dgs.exe	32
PID 1608 wrote to memory of 3004	1608	dgs.exe	32
PID 1608 wrote to memory of 3004	1608	dgs.exe	32
PID 1608 wrote to memory of 3004	1608	dgs.exe	32
PID 1608 wrote to memory of 3004	1608	dgs.exe	32

C:\Users\Admin\AppData\Local\Temp\bf0baeedce73785238ace59df3906e68.exe
"C:\Users\Admin\AppData\Local\Temp\bf0baeedce73785238ace59df3906e68.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath C:\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\ProgramData\dgs.exe
  "C:\ProgramData\dgs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dgs.exe

Filesize
1.8MB

MD5
bf0baeedce73785238ace59df3906e68

SHA1
a7e1a1611189c200c86ef6fcf174beafe2b783bc

SHA256
ec6d01f6c374e83112445655eb88af26a9ec92ff701673c7c42ff5735777a3d2

SHA512
6e711e45b33c9ebe17e0ed6afad8eaf9db530e64313c17d91dc0457fbda44de3ef8603203ddfe2cece4109d00cbd65e3233ec77c8387ca024fabf9cb4e3e854a

Download Submit
C:\ProgramData\dgs.exe

Filesize
881KB

MD5
cb3ba87bbd48d3435691ce7ead46a35f

SHA1
1a3c6a418f696784850bf5f688b5aa1a50f622be

SHA256
df68a08245c5a7dfe13c53ec471ec4dce705f9ba226a75b09fec7318724f3ede

SHA512
7dc806d64a05ce1842185af5e3b5842ace2b6bdc3cb1ac8eb4cc6afcd9bfaf6e308479a8d5fd2bb1bf415bdde38726087319f850461cc1ec1ed2691cc4e7947c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
22d8a83f3f815f97dcd11b5f4b936a16

SHA1
d3386783e29223c592a027cb82c1a3e353918615

SHA256
a31e9a8f679aad86d4a7039996835a710160eae0f5cc4b9b9b3494dbfc5f7c55

SHA512
babd376fa7e6513a018eea20ca8340a437a656cb1892acedab51717e126c86625ac5f1abb0e89132a134d6ead06b312b7b6e42d921bfb0c28ca3ba4eb34273ec

Download Submit
\ProgramData\dgs.exe

Filesize
1.4MB

MD5
2bf3aac614089b38ea75325783783c70

SHA1
d5ceb52347eefddbe959b9bfe5cdf338a6f84b75

SHA256
d4e9824abb14b1ee39d758ba282e1944c806e393f3eee235ff111cd60e31fe5d

SHA512
1c291df7d82ca953526b0e7f0aad3f8e1140e755e044f386846dcdc59db7e97923eb00ac5ee7ae038a05d3f47669c7830fdb50dda6c65405ec223ddd3f739291

Download Submit
memory/1608-33-0x0000000001E40000-0x0000000001F94000-memory.dmp

Filesize
1.3MB

Download
memory/1608-16-0x0000000001E40000-0x0000000001F94000-memory.dmp

Filesize
1.3MB

Download
memory/1608-9-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2076-31-0x00000000738D0000-0x0000000073E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2076-13-0x00000000738D0000-0x0000000073E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2076-14-0x00000000738D0000-0x0000000073E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2076-15-0x00000000025B0000-0x00000000025F0000-memory.dmp

Filesize
256KB

Download
memory/2076-28-0x00000000738D0000-0x0000000073E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2076-29-0x00000000738D0000-0x0000000073E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2308-30-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/2308-32-0x00000000738D0000-0x0000000073E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2308-23-0x00000000738D0000-0x0000000073E7B000-memory.dmp

Filesize
5.7MB

Download
memory/3004-25-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3004-24-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3040-0-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/3040-10-0x0000000001E10000-0x0000000001F64000-memory.dmp

Filesize
1.3MB

Download
memory/3040-8-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/3040-2-0x0000000001E10000-0x0000000001F64000-memory.dmp

Filesize
1.3MB

Download
memory/3040-1-0x00000000003C0000-0x00000000003DD000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads