warzonerat | d153e4163269a30e8c77868685269d598872eda2218f6659f0772824c7598f3b

General

Target

45ee81b15b6c5b7b73fa6ba2530e4764.exe
Size

679KB
MD5

45ee81b15b6c5b7b73fa6ba2530e4764
SHA1

0e456ae2a9e868ef0ae7a13c80635ff1608c2d54
SHA256

d153e4163269a30e8c77868685269d598872eda2218f6659f0772824c7598f3b
SHA512

7e2c0edddbb6fb1aa30e038bca4d9a36d2c9c708b12e15fa1c45258ab00615b61243f4346d57c54ffd387c86564790ed2e9c715ce1b13a2e61fc1f5cf47aa29e
SSDEEP

12288:dURQU7qnqg7radmlJMw6mFXGyq6SVwkqst2NjFj:G7G9Cd8ywHLRlkqsMNjB

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

45.137.22.62:4231

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/2316-17-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2316-18-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2316-19-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2316-20-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2316-23-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2316-25-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 2316	1972	45ee81b15b6c5b7b73fa6ba2530e4764.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1928	2316	WerFault.exe	31

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2668	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1972	45ee81b15b6c5b7b73fa6ba2530e4764.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	45ee81b15b6c5b7b73fa6ba2530e4764.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2668	1972	45ee81b15b6c5b7b73fa6ba2530e4764.exe	29
PID 1972 wrote to memory of 2668	1972	45ee81b15b6c5b7b73fa6ba2530e4764.exe	29
PID 1972 wrote to memory of 2668	1972	45ee81b15b6c5b7b73fa6ba2530e4764.exe	29
PID 1972 wrote to memory of 2668	1972	45ee81b15b6c5b7b73fa6ba2530e4764.exe	29
PID 1972 wrote to memory of 2316	1972	45ee81b15b6c5b7b73fa6ba2530e4764.exe	31
PID 1972 wrote to memory of 2316	1972	45ee81b15b6c5b7b73fa6ba2530e4764.exe	31
PID 1972 wrote to memory of 2316	1972	45ee81b15b6c5b7b73fa6ba2530e4764.exe	31
PID 1972 wrote to memory of 2316	1972	45ee81b15b6c5b7b73fa6ba2530e4764.exe	31
PID 1972 wrote to memory of 2316	1972	45ee81b15b6c5b7b73fa6ba2530e4764.exe	31
PID 1972 wrote to memory of 2316	1972	45ee81b15b6c5b7b73fa6ba2530e4764.exe	31
PID 1972 wrote to memory of 2316	1972	45ee81b15b6c5b7b73fa6ba2530e4764.exe	31
PID 1972 wrote to memory of 2316	1972	45ee81b15b6c5b7b73fa6ba2530e4764.exe	31
PID 1972 wrote to memory of 2316	1972	45ee81b15b6c5b7b73fa6ba2530e4764.exe	31
PID 1972 wrote to memory of 2316	1972	45ee81b15b6c5b7b73fa6ba2530e4764.exe	31
PID 1972 wrote to memory of 2316	1972	45ee81b15b6c5b7b73fa6ba2530e4764.exe	31
PID 1972 wrote to memory of 2316	1972	45ee81b15b6c5b7b73fa6ba2530e4764.exe	31
PID 2316 wrote to memory of 1928	2316	45ee81b15b6c5b7b73fa6ba2530e4764.exe	32
PID 2316 wrote to memory of 1928	2316	45ee81b15b6c5b7b73fa6ba2530e4764.exe	32
PID 2316 wrote to memory of 1928	2316	45ee81b15b6c5b7b73fa6ba2530e4764.exe	32
PID 2316 wrote to memory of 1928	2316	45ee81b15b6c5b7b73fa6ba2530e4764.exe	32

C:\Users\Admin\AppData\Local\Temp\45ee81b15b6c5b7b73fa6ba2530e4764.exe
"C:\Users\Admin\AppData\Local\Temp\45ee81b15b6c5b7b73fa6ba2530e4764.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CunNHRudPgra" /XML "C:\Users\Admin\AppData\Local\Temp\tmp67A9.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2668
- C:\Users\Admin\AppData\Local\Temp\45ee81b15b6c5b7b73fa6ba2530e4764.exe
  "C:\Users\Admin\AppData\Local\Temp\45ee81b15b6c5b7b73fa6ba2530e4764.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 200
    3⤵
    - Program crash
    PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp67A9.tmp

Filesize
1KB

MD5
a4d652de5f2b9d2f72e521330093a469

SHA1
0f43a61d12b3a8cefe19a57d734fca696a064fb3

SHA256
bc6c35b1db75eff1ffd0b4d7cb06d7ca0f4b91d0f9862ca50685f3188be75f29

SHA512
65256e428c84e04d274f4c970312e187b3e03971d44acab2e7cb65f144f67f5518e1e85fc5aa1e2e28ae0818665bc56204617d14ff7adcc30272bba37c3995d9

Download Submit
memory/1972-0-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/1972-1-0x0000000001250000-0x00000000012FE000-memory.dmp

Filesize
696KB

Download
memory/1972-2-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/1972-3-0x00000000005D0000-0x00000000005EA000-memory.dmp

Filesize
104KB

Download
memory/1972-4-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/1972-5-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/1972-6-0x0000000005210000-0x00000000052A2000-memory.dmp

Filesize
584KB

Download
memory/1972-7-0x0000000000850000-0x0000000000874000-memory.dmp

Filesize
144KB

Download
memory/1972-26-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2316-15-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2316-16-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2316-17-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2316-18-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2316-19-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2316-20-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2316-23-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2316-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2316-25-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2316-13-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads