warzonerat | f901f4b9437419d09352abcdec1a1e7bb1b511adbee059c42695753575b2b77c

General

Target

LisectAVT_2403002A_44.exe
Size

250KB
MD5

1de50898c006fcc7d1924a6df312f8e2
SHA1

7b1ae04725421af4e1609bc1594d01691643613f
SHA256

f901f4b9437419d09352abcdec1a1e7bb1b511adbee059c42695753575b2b77c
SHA512

60d919aabbe922194e52e4b3834fb2ef8242427e851bff023cf3059c4bbf8574df318667b790638f7fc995872e2e35b572a4b0f3991dfc61150b1bba4b40d79c
SSDEEP

6144:jNc88VTZVxiL2CzS3vlm8LkuJKjWZSLV64:y88Vt7iLVWvU8LdmV

Score

10^/10

warzonerat collection credential_access defense_evasion discovery evasion infostealer persistence privilege_escalation rat spyware stealer upx

Malware Config

Extracted

Family

warzonerat

C2

216.250.253.35:2356

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Warzone RAT payload 10 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2520-2-0x0000000000220000-0x0000000000242000-memory.dmp	warzonerat
behavioral1/memory/2520-3-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2520-4-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2520-18-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2520-21-0x0000000000220000-0x0000000000242000-memory.dmp	warzonerat
behavioral1/memory/2520-29-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2520-32-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2520-33-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2520-34-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat
behavioral1/memory/2520-44-0x0000000000400000-0x000000000055A000-memory.dmp	warzonerat

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1132 netsh.exe

pid	process
1132	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

LisectAVT_2403002A_44.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll"	LisectAVT_2403002A_44.exe

Executes dropped EXE 1 IoCs

Processes:

30.exe

pid process

3060 30.exe

pid	process
3060	30.exe

Loads dropped DLL 8 IoCs

Processes:

LisectAVT_2403002A_44.exe

pid	process
2520	LisectAVT_2403002A_44.exe
2612
2520	LisectAVT_2403002A_44.exe
2520	LisectAVT_2403002A_44.exe
2520	LisectAVT_2403002A_44.exe
2520	LisectAVT_2403002A_44.exe
2520	LisectAVT_2403002A_44.exe
2520	LisectAVT_2403002A_44.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\30.exe	upx
behavioral1/memory/3060-13-0x0000000001380000-0x00000000013AD000-memory.dmp	upx
behavioral1/memory/3060-19-0x0000000001380000-0x00000000013AD000-memory.dmp	upx
behavioral1/memory/3060-22-0x0000000001380000-0x00000000013AD000-memory.dmp	upx

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

LisectAVT_2403002A_44.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LisectAVT_2403002A_44.exe
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LisectAVT_2403002A_44.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

LisectAVT_2403002A_44.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	LisectAVT_2403002A_44.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	LisectAVT_2403002A_44.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\bKHvndn = "0"	LisectAVT_2403002A_44.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	LisectAVT_2403002A_44.exe

Drops file in System32 directory 1 IoCs

Processes:

LisectAVT_2403002A_44.exe

description ioc process

File created C:\Windows\System32\rfxvmt.dll LisectAVT_2403002A_44.exe

description	ioc	process
File created	C:\Windows\System32\rfxvmt.dll	LisectAVT_2403002A_44.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

Processes:

LisectAVT_2403002A_44.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\bKHvndn = "0"	LisectAVT_2403002A_44.exe

Drops file in Program Files directory 2 IoCs

Processes:

LisectAVT_2403002A_44.exe

description	ioc	process
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	LisectAVT_2403002A_44.exe
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	LisectAVT_2403002A_44.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

LisectAVT_2403002A_44.exe30.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LisectAVT_2403002A_44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid process

2612
2612
2612
2612
2612
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

LisectAVT_2403002A_44.exe

description pid process

Token: SeDebugPrivilege 2520 LisectAVT_2403002A_44.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LisectAVT_2403002A_44.exe

pid process

2520 LisectAVT_2403002A_44.exe

pid	process
2612
2612
2612
2612
2612

description	pid	process
Token: SeDebugPrivilege	2520	LisectAVT_2403002A_44.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

LisectAVT_2403002A_44.exe30.exe

description	pid	process	target process
PID 2520 wrote to memory of 3060	2520	LisectAVT_2403002A_44.exe	30.exe
PID 2520 wrote to memory of 3060	2520	LisectAVT_2403002A_44.exe	30.exe
PID 2520 wrote to memory of 3060	2520	LisectAVT_2403002A_44.exe	30.exe
PID 2520 wrote to memory of 3060	2520	LisectAVT_2403002A_44.exe	30.exe
PID 3060 wrote to memory of 1132	3060	30.exe	netsh.exe
PID 3060 wrote to memory of 1132	3060	30.exe	netsh.exe
PID 3060 wrote to memory of 1132	3060	30.exe	netsh.exe
PID 3060 wrote to memory of 1132	3060	30.exe	netsh.exe

outlook_office_path 1 IoCs

Processes:

LisectAVT_2403002A_44.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LisectAVT_2403002A_44.exe

outlook_win_path 1 IoCs

Processes:

LisectAVT_2403002A_44.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LisectAVT_2403002A_44.exe

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_44.exe
"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_44.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Modifies WinLogon
- Drops file in System32 directory
- Hide Artifacts: Hidden Users
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2520

C:\Users\Admin\AppData\Local\Temp\30.exe
"C:\Users\Admin\AppData\Local\Temp\30.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Hide Artifacts

1

T1564

Hidden Users

1

T1564.002

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Microsoft DN1\sqlmap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\Users\Admin\AppData\Local\Temp\30.exe

Filesize
70KB

MD5
ca96229390a0e6a53e8f2125f2c01114

SHA1
a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

SHA256
0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

SHA512
e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

Download Submit
\Users\Admin\AppData\Local\Temp\freebl3.dll

Filesize
326KB

MD5
ef12ab9d0b231b8f898067b2114b1bc0

SHA1
6d90f27b2105945f9bb77039e8b892070a5f9442

SHA256
2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7

SHA512
2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

Download Submit
\Users\Admin\AppData\Local\Temp\mozglue.dll

Filesize
133KB

MD5
75f8cc548cabf0cc800c25047e4d3124

SHA1
602676768f9faecd35b48c38a0632781dfbde10c

SHA256
fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0

SHA512
ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

Download Submit
\Users\Admin\AppData\Local\Temp\msvcp140.dll

Filesize
429KB

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\nss3.dll

Filesize
1.2MB

MD5
d7858e8449004e21b01d468e9fd04b82

SHA1
9524352071ede21c167e7e4f106e9526dc23ef4e

SHA256
78758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db

SHA512
1e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440

Download Submit
\Users\Admin\AppData\Local\Temp\softokn3.dll

Filesize
141KB

MD5
471c983513694ac3002590345f2be0da

SHA1
6612b9af4ff6830fa9b7d4193078434ef72f775b

SHA256
bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f

SHA512
a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410

Download Submit
\Users\Admin\AppData\Local\Temp\vcruntime140.dll

Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
memory/2520-12-0x000000000AD10000-0x000000000AD3D000-memory.dmp

Filesize
180KB

Download
memory/2520-18-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2520-20-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2520-21-0x0000000000220000-0x0000000000242000-memory.dmp

Filesize
136KB

Download
memory/2520-2-0x0000000000220000-0x0000000000242000-memory.dmp

Filesize
136KB

Download
memory/2520-29-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2520-32-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2520-33-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2520-34-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2520-44-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2520-3-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2520-1-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2520-4-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/3060-13-0x0000000001380000-0x00000000013AD000-memory.dmp

Filesize
180KB

Download
memory/3060-19-0x0000000001380000-0x00000000013AD000-memory.dmp

Filesize
180KB

Download
memory/3060-22-0x0000000001380000-0x00000000013AD000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads