warzonerat | 023823859e196b15112c3e59e6247ceef4001f5a36f0e1383aa63b3b5a1c3aa6

Analysis

Target

TT.exe
Size

1.5MB
MD5

d074acab7ccb3a5e0991fe9274fdca20
SHA1

dff5ce1faa43bfb7ba8fceeba7d044a7eba37e45
SHA256

023823859e196b15112c3e59e6247ceef4001f5a36f0e1383aa63b3b5a1c3aa6
SHA512

e9a2ed5c89d4230ab5d4613def6e99d41a971e8e4350e9e0e1dc0cf842ea292484f20771b8f8e2278ff5a91b4f9adc59c0585e6c463b2e3a86cabbe16313b576

Score

10^/10

Family

warzonerat

185.222.57.213:5200

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3980-2-0x0000000002650000-0x00000000027A4000-memory.dmp	warzonerat
behavioral2/memory/1268-6-0x00000000027F0000-0x0000000002944000-memory.dmp	warzonerat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

1268 images.exe

pid	process
1268	images.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

TT.exeimages.exe

description	pid	process	target process
PID 3980 wrote to memory of 1268	3980	TT.exe	images.exe
PID 3980 wrote to memory of 1268	3980	TT.exe	images.exe
PID 3980 wrote to memory of 1268	3980	TT.exe	images.exe
PID 1268 wrote to memory of 3960	1268	images.exe	cmd.exe
PID 1268 wrote to memory of 3960	1268	images.exe	cmd.exe
PID 1268 wrote to memory of 3960	1268	images.exe	cmd.exe
PID 1268 wrote to memory of 3960	1268	images.exe	cmd.exe
PID 1268 wrote to memory of 3960	1268	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\TT.exe
"C:\Users\Admin\AppData\Local\Temp\TT.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3980
- C:\ProgramData\images.exe
  "C:\ProgramData\images.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:3960

C:\ProgramData\images.exe

MD5
d074acab7ccb3a5e0991fe9274fdca20

SHA1
dff5ce1faa43bfb7ba8fceeba7d044a7eba37e45

SHA256
023823859e196b15112c3e59e6247ceef4001f5a36f0e1383aa63b3b5a1c3aa6

SHA512
e9a2ed5c89d4230ab5d4613def6e99d41a971e8e4350e9e0e1dc0cf842ea292484f20771b8f8e2278ff5a91b4f9adc59c0585e6c463b2e3a86cabbe16313b576

Download Submit
C:\ProgramData\images.exe

MD5
d074acab7ccb3a5e0991fe9274fdca20

SHA1
dff5ce1faa43bfb7ba8fceeba7d044a7eba37e45

SHA256
023823859e196b15112c3e59e6247ceef4001f5a36f0e1383aa63b3b5a1c3aa6

SHA512
e9a2ed5c89d4230ab5d4613def6e99d41a971e8e4350e9e0e1dc0cf842ea292484f20771b8f8e2278ff5a91b4f9adc59c0585e6c463b2e3a86cabbe16313b576

Download Submit
memory/1268-3-0x0000000000000000-mapping.dmp

Download
memory/1268-6-0x00000000027F0000-0x0000000002944000-memory.dmp

Filesize
1.3MB

Download
memory/3960-7-0x0000000000000000-mapping.dmp

Download
memory/3960-8-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download
memory/3980-2-0x0000000002650000-0x00000000027A4000-memory.dmp

Filesize
1.3MB

Download