warzonerat | d153e4163269a30e8c77868685269d598872eda2218f6659f0772824c7598f3b

General

Target

45ee81b15b6c5b7b73fa6ba2530e4764.exe
Size

679KB
MD5

45ee81b15b6c5b7b73fa6ba2530e4764
SHA1

0e456ae2a9e868ef0ae7a13c80635ff1608c2d54
SHA256

d153e4163269a30e8c77868685269d598872eda2218f6659f0772824c7598f3b
SHA512

7e2c0edddbb6fb1aa30e038bca4d9a36d2c9c708b12e15fa1c45258ab00615b61243f4346d57c54ffd387c86564790ed2e9c715ce1b13a2e61fc1f5cf47aa29e
SSDEEP

12288:dURQU7qnqg7radmlJMw6mFXGyq6SVwkqst2NjFj:G7G9Cd8ywHLRlkqsMNjB

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

45.137.22.62:4231

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/1976-17-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1976-20-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1976-21-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1976-23-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	45ee81b15b6c5b7b73fa6ba2530e4764.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5008 set thread context of 1976	5008	45ee81b15b6c5b7b73fa6ba2530e4764.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
5008	45ee81b15b6c5b7b73fa6ba2530e4764.exe
5008	45ee81b15b6c5b7b73fa6ba2530e4764.exe
5008	45ee81b15b6c5b7b73fa6ba2530e4764.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	45ee81b15b6c5b7b73fa6ba2530e4764.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 440	5008	45ee81b15b6c5b7b73fa6ba2530e4764.exe	103
PID 5008 wrote to memory of 440	5008	45ee81b15b6c5b7b73fa6ba2530e4764.exe	103
PID 5008 wrote to memory of 440	5008	45ee81b15b6c5b7b73fa6ba2530e4764.exe	103
PID 5008 wrote to memory of 4680	5008	45ee81b15b6c5b7b73fa6ba2530e4764.exe	108
PID 5008 wrote to memory of 4680	5008	45ee81b15b6c5b7b73fa6ba2530e4764.exe	108
PID 5008 wrote to memory of 4680	5008	45ee81b15b6c5b7b73fa6ba2530e4764.exe	108
PID 5008 wrote to memory of 1976	5008	45ee81b15b6c5b7b73fa6ba2530e4764.exe	109
PID 5008 wrote to memory of 1976	5008	45ee81b15b6c5b7b73fa6ba2530e4764.exe	109
PID 5008 wrote to memory of 1976	5008	45ee81b15b6c5b7b73fa6ba2530e4764.exe	109
PID 5008 wrote to memory of 1976	5008	45ee81b15b6c5b7b73fa6ba2530e4764.exe	109
PID 5008 wrote to memory of 1976	5008	45ee81b15b6c5b7b73fa6ba2530e4764.exe	109
PID 5008 wrote to memory of 1976	5008	45ee81b15b6c5b7b73fa6ba2530e4764.exe	109
PID 5008 wrote to memory of 1976	5008	45ee81b15b6c5b7b73fa6ba2530e4764.exe	109
PID 5008 wrote to memory of 1976	5008	45ee81b15b6c5b7b73fa6ba2530e4764.exe	109
PID 5008 wrote to memory of 1976	5008	45ee81b15b6c5b7b73fa6ba2530e4764.exe	109
PID 5008 wrote to memory of 1976	5008	45ee81b15b6c5b7b73fa6ba2530e4764.exe	109
PID 5008 wrote to memory of 1976	5008	45ee81b15b6c5b7b73fa6ba2530e4764.exe	109

C:\Users\Admin\AppData\Local\Temp\45ee81b15b6c5b7b73fa6ba2530e4764.exe
"C:\Users\Admin\AppData\Local\Temp\45ee81b15b6c5b7b73fa6ba2530e4764.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CunNHRudPgra" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6E50.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:440
- C:\Users\Admin\AppData\Local\Temp\45ee81b15b6c5b7b73fa6ba2530e4764.exe
  "C:\Users\Admin\AppData\Local\Temp\45ee81b15b6c5b7b73fa6ba2530e4764.exe"
  2⤵
  PID:4680
- C:\Users\Admin\AppData\Local\Temp\45ee81b15b6c5b7b73fa6ba2530e4764.exe
  "C:\Users\Admin\AppData\Local\Temp\45ee81b15b6c5b7b73fa6ba2530e4764.exe"
  2⤵
  PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6E50.tmp

Filesize
1KB

MD5
6cb9a37d73c46eee4c682ad1cdb316c5

SHA1
82211075ad45878a1e747c8c95a61410db7bf139

SHA256
5ff9856502feb18e1692a1d5cc3b28480987d84e70126a5c29d02f29f719d156

SHA512
9938e5ff8534627e2adf6ac81ce12b2b390c75b5977f6b0138cdafa72a55d7e5b25d0f6cc971c0e1b86e6af4600c76b4068129309f6ad3812ab2ac8628a282d8

Download Submit
memory/1976-23-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1976-21-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1976-20-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1976-17-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/5008-4-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/5008-6-0x0000000004EF0000-0x0000000004EFA000-memory.dmp

Filesize
40KB

Download
memory/5008-7-0x0000000006950000-0x00000000069EC000-memory.dmp

Filesize
624KB

Download
memory/5008-8-0x00000000068B0000-0x00000000068CA000-memory.dmp

Filesize
104KB

Download
memory/5008-9-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/5008-10-0x0000000000C60000-0x0000000000CF2000-memory.dmp

Filesize
584KB

Download
memory/5008-11-0x0000000000CF0000-0x0000000000D14000-memory.dmp

Filesize
144KB

Download
memory/5008-5-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/5008-0-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/5008-3-0x0000000004DD0000-0x0000000004E62000-memory.dmp

Filesize
584KB

Download
memory/5008-2-0x00000000052A0000-0x0000000005844000-memory.dmp

Filesize
5.6MB

Download
memory/5008-22-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/5008-1-0x0000000000320000-0x00000000003CE000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads