warzonerat | d677958e05d8e8a3424225fd62da4a68c9401aa13658ecb9d6dbff18372aca85

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d677958e05d8e8a3424225fd62da4a68c9401aa13658ecb9d6dbff18372aca85.exe
Size

98KB
MD5

c3b94b58df683ce5d5ff33f2846dd18f
SHA1

28c044b0e1cee740f146a0c435d0b5f5183355f2
SHA256

d677958e05d8e8a3424225fd62da4a68c9401aa13658ecb9d6dbff18372aca85
SHA512

c568063157bf4be197e6fe01780ef090a63f958a8fb2caf51c38ac6c64084de789b4b8471a99d9b85ca9bcbb754c50a412a7a125929c1127cd305bf783164c91
SSDEEP

1536:5Csejmb+6BQyusX1UjtA0uWRf/eloc/9T1jVEypm:AtD6jSm0uWRfCogTjVEG

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

apostlejob2.duckdns.org:2877

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0007000000023420-2.dat	warzonerat

Executes dropped EXE 1 IoCs

pid	Process
1544	images.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	d677958e05d8e8a3424225fd62da4a68c9401aa13658ecb9d6dbff18372aca85.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 1544	1284	d677958e05d8e8a3424225fd62da4a68c9401aa13658ecb9d6dbff18372aca85.exe	83
PID 1284 wrote to memory of 1544	1284	d677958e05d8e8a3424225fd62da4a68c9401aa13658ecb9d6dbff18372aca85.exe	83
PID 1284 wrote to memory of 1544	1284	d677958e05d8e8a3424225fd62da4a68c9401aa13658ecb9d6dbff18372aca85.exe	83

C:\Users\Admin\AppData\Local\Temp\d677958e05d8e8a3424225fd62da4a68c9401aa13658ecb9d6dbff18372aca85.exe
"C:\Users\Admin\AppData\Local\Temp\d677958e05d8e8a3424225fd62da4a68c9401aa13658ecb9d6dbff18372aca85.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1284
- C:\ProgramData\images.exe
  "C:\ProgramData\images.exe"
  2⤵
  - Executes dropped EXE
  PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

Filesize
98KB

MD5
c3b94b58df683ce5d5ff33f2846dd18f

SHA1
28c044b0e1cee740f146a0c435d0b5f5183355f2

SHA256
d677958e05d8e8a3424225fd62da4a68c9401aa13658ecb9d6dbff18372aca85

SHA512
c568063157bf4be197e6fe01780ef090a63f958a8fb2caf51c38ac6c64084de789b4b8471a99d9b85ca9bcbb754c50a412a7a125929c1127cd305bf783164c91

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads