warzonerat | 023823859e196b15112c3e59e6247ceef4001f5a36f0e1383aa63b3b5a1c3aa6

General

Target

TT.exe
Size

1.5MB
MD5

d074acab7ccb3a5e0991fe9274fdca20
SHA1

dff5ce1faa43bfb7ba8fceeba7d044a7eba37e45
SHA256

023823859e196b15112c3e59e6247ceef4001f5a36f0e1383aa63b3b5a1c3aa6
SHA512

e9a2ed5c89d4230ab5d4613def6e99d41a971e8e4350e9e0e1dc0cf842ea292484f20771b8f8e2278ff5a91b4f9adc59c0585e6c463b2e3a86cabbe16313b576

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

185.222.57.213:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1204-2-0x0000000000A60000-0x0000000000BB4000-memory.dmp	warzonerat
behavioral1/memory/1236-6-0x0000000000A10000-0x0000000000B64000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

1236 images.exe
Loads dropped DLL 1 IoCs

Processes:

TT.exe

pid process

1204 TT.exe

pid	process
1236	images.exe

pid	process
1204	TT.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

TT.exeimages.exe

description	pid	process	target process
PID 1204 wrote to memory of 1236	1204	TT.exe	images.exe
PID 1204 wrote to memory of 1236	1204	TT.exe	images.exe
PID 1204 wrote to memory of 1236	1204	TT.exe	images.exe
PID 1204 wrote to memory of 1236	1204	TT.exe	images.exe
PID 1236 wrote to memory of 1368	1236	images.exe	cmd.exe
PID 1236 wrote to memory of 1368	1236	images.exe	cmd.exe
PID 1236 wrote to memory of 1368	1236	images.exe	cmd.exe
PID 1236 wrote to memory of 1368	1236	images.exe	cmd.exe
PID 1236 wrote to memory of 1368	1236	images.exe	cmd.exe
PID 1236 wrote to memory of 1368	1236	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\TT.exe
"C:\Users\Admin\AppData\Local\Temp\TT.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204
- C:\ProgramData\images.exe
  "C:\ProgramData\images.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:1368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe

MD5
d074acab7ccb3a5e0991fe9274fdca20

SHA1
dff5ce1faa43bfb7ba8fceeba7d044a7eba37e45

SHA256
023823859e196b15112c3e59e6247ceef4001f5a36f0e1383aa63b3b5a1c3aa6

SHA512
e9a2ed5c89d4230ab5d4613def6e99d41a971e8e4350e9e0e1dc0cf842ea292484f20771b8f8e2278ff5a91b4f9adc59c0585e6c463b2e3a86cabbe16313b576

Download Submit
C:\ProgramData\images.exe

MD5
d074acab7ccb3a5e0991fe9274fdca20

SHA1
dff5ce1faa43bfb7ba8fceeba7d044a7eba37e45

SHA256
023823859e196b15112c3e59e6247ceef4001f5a36f0e1383aa63b3b5a1c3aa6

SHA512
e9a2ed5c89d4230ab5d4613def6e99d41a971e8e4350e9e0e1dc0cf842ea292484f20771b8f8e2278ff5a91b4f9adc59c0585e6c463b2e3a86cabbe16313b576

Download Submit
\ProgramData\images.exe

MD5
d074acab7ccb3a5e0991fe9274fdca20

SHA1
dff5ce1faa43bfb7ba8fceeba7d044a7eba37e45

SHA256
023823859e196b15112c3e59e6247ceef4001f5a36f0e1383aa63b3b5a1c3aa6

SHA512
e9a2ed5c89d4230ab5d4613def6e99d41a971e8e4350e9e0e1dc0cf842ea292484f20771b8f8e2278ff5a91b4f9adc59c0585e6c463b2e3a86cabbe16313b576

Download Submit
memory/1204-2-0x0000000000A60000-0x0000000000BB4000-memory.dmp

Filesize
1.3MB

Download
memory/1236-4-0x0000000000000000-mapping.dmp

Download
memory/1236-6-0x0000000000A10000-0x0000000000B64000-memory.dmp

Filesize
1.3MB

Download
memory/1368-8-0x0000000000000000-mapping.dmp

Download
memory/1368-9-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1368-10-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads