warzonerat | 49bd52161ac80de23fde0851abc834f81e1765eb55880a04a7bec010616b1957

General

Target

f1831646a449684fc0787d08e147017d_JaffaCakes118.exe
Size

447KB
MD5

f1831646a449684fc0787d08e147017d
SHA1

e91efbd06b85b297db166d39c8dc18f7e7aa8365
SHA256

49bd52161ac80de23fde0851abc834f81e1765eb55880a04a7bec010616b1957
SHA512

c82eacbb11919f64523e791f65094a01b5258539a9078ff56fb057c6ef46ba98e26530c217c8c4f921691a51e28ea597992b62c4c056782da54f8fa8be3dffe1
SSDEEP

12288:DrQ2L1yXGK6ARkSetsRFPgRfhKFvExxLo7W:DDxASXSRFPg1EBExu

Score

10^/10

warzonerat zgrat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

warzonne.publicvm.com:22649

Signatures

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3048-11-0x0000000005C40000-0x0000000005CB4000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-12-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-13-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-15-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-17-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-19-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-21-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-23-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-25-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-27-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-31-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-29-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-33-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-35-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-39-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-37-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-43-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-41-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-45-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-47-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-51-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-53-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-49-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-57-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-55-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-59-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-61-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-65-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-63-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-69-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-67-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-75-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-73-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3048-71-0x0000000005C40000-0x0000000005CAE000-memory.dmp	family_zgrat_v1

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Warzone RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2640-2169-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2640-2175-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

RegAsm.exe

pid process

2640 RegAsm.exe
Loads dropped DLL 2 IoCs

Processes:

f1831646a449684fc0787d08e147017d_JaffaCakes118.exeRegAsm.exe

pid process

3048 f1831646a449684fc0787d08e147017d_JaffaCakes118.exe
2640 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

f1831646a449684fc0787d08e147017d_JaffaCakes118.exe

description pid process target process

PID 3048 set thread context of 2640 3048 f1831646a449684fc0787d08e147017d_JaffaCakes118.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f1831646a449684fc0787d08e147017d_JaffaCakes118.exepowershell.exe

pid process

3048 f1831646a449684fc0787d08e147017d_JaffaCakes118.exe
1276 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f1831646a449684fc0787d08e147017d_JaffaCakes118.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3048 f1831646a449684fc0787d08e147017d_JaffaCakes118.exe
Token: SeDebugPrivilege 1276 powershell.exe

pid	process
2640	RegAsm.exe

pid	process
3048	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe
2640	RegAsm.exe

description	pid	process	target process
PID 3048 set thread context of 2640	3048	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe

pid	process
3048	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe
1276	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3048	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe
Token: SeDebugPrivilege	1276	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

f1831646a449684fc0787d08e147017d_JaffaCakes118.exeWScript.exe

description	pid	process	target process
PID 3048 wrote to memory of 940	3048	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	WScript.exe
PID 3048 wrote to memory of 940	3048	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	WScript.exe
PID 3048 wrote to memory of 940	3048	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	WScript.exe
PID 3048 wrote to memory of 940	3048	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	WScript.exe
PID 3048 wrote to memory of 2640	3048	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 3048 wrote to memory of 2640	3048	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 3048 wrote to memory of 2640	3048	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 3048 wrote to memory of 2640	3048	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 3048 wrote to memory of 2640	3048	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 3048 wrote to memory of 2640	3048	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 3048 wrote to memory of 2640	3048	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 3048 wrote to memory of 2640	3048	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 3048 wrote to memory of 2640	3048	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 3048 wrote to memory of 2640	3048	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 3048 wrote to memory of 2640	3048	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 3048 wrote to memory of 2640	3048	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 3048 wrote to memory of 2640	3048	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 3048 wrote to memory of 2640	3048	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 3048 wrote to memory of 2640	3048	f1831646a449684fc0787d08e147017d_JaffaCakes118.exe	RegAsm.exe
PID 940 wrote to memory of 1276	940	WScript.exe	powershell.exe
PID 940 wrote to memory of 1276	940	WScript.exe	powershell.exe
PID 940 wrote to memory of 1276	940	WScript.exe	powershell.exe
PID 940 wrote to memory of 1276	940	WScript.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\f1831646a449684fc0787d08e147017d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f1831646a449684fc0787d08e147017d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ppgfqbvmulb.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Foxmaill\folder_1.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_Ppgfqbvmulb.vbs
Filesize
185B

MD5
343d60694a1ed44f6a8d2e72af01398a

SHA1
e94d1fca2e525ed16e415d7aad35213611e986e1

SHA256
6715233ec92e74ef3f97f66d957f7ebf66fa89130bb9fbce390a8dd7ff9ad4f8

SHA512
cd460ca23ca4199a661f194b3d6eb5369fdca348c615f20bcbecf4ff1366d2c91551beab7e41e0fb02be74f70321dfa44ffcfba016da4b8e8ec2910a49ddaff1

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/1276-2170-0x0000000073A80000-0x000000007402B000-memory.dmp

Filesize
5.7MB

Download
memory/1276-2171-0x0000000073A80000-0x000000007402B000-memory.dmp

Filesize
5.7MB

Download
memory/1276-2174-0x0000000073A80000-0x000000007402B000-memory.dmp

Filesize
5.7MB

Download
memory/1276-2173-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/1276-2172-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/2640-2169-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2640-2175-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3048-31-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-43-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-6-0x0000000004C90000-0x0000000004CD0000-memory.dmp

Filesize
256KB

Download
memory/3048-7-0x0000000004C90000-0x0000000004CD0000-memory.dmp

Filesize
256KB

Download
memory/3048-8-0x0000000004C90000-0x0000000004CD0000-memory.dmp

Filesize
256KB

Download
memory/3048-9-0x0000000000BD0000-0x0000000000C22000-memory.dmp

Filesize
328KB

Download
memory/3048-10-0x0000000004730000-0x0000000004782000-memory.dmp

Filesize
328KB

Download
memory/3048-11-0x0000000005C40000-0x0000000005CB4000-memory.dmp

Filesize
464KB

Download
memory/3048-12-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-13-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-15-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-17-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-19-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-21-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-23-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-25-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-27-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-4-0x0000000004C90000-0x0000000004CD0000-memory.dmp

Filesize
256KB

Download
memory/3048-29-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-33-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-35-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-39-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-37-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-5-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/3048-41-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-45-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-47-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-51-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-53-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-49-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-57-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-55-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-59-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-61-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-65-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-63-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-69-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-67-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-75-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-3-0x0000000004C90000-0x0000000004CD0000-memory.dmp

Filesize
256KB

Download
memory/3048-2-0x0000000004C90000-0x0000000004CD0000-memory.dmp

Filesize
256KB

Download
memory/3048-1-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/3048-0-0x0000000000F00000-0x0000000000F76000-memory.dmp

Filesize
472KB

Download
memory/3048-73-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-71-0x0000000005C40000-0x0000000005CAE000-memory.dmp

Filesize
440KB

Download
memory/3048-2161-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads