warzonerat | 6d33f52ccba4dfd0f6ae6559d49f85bfbdb94560dc321cd09defa7d1278773cf

General

Target

SecuriteInfo.com.Trojan.Packed.24465.12290.29943.exe
Size

129KB
MD5

84316bd8a6b69472115faadfc446253f
SHA1

03c9c3263f71654173e55c7074434a75f487f2b7
SHA256

6d33f52ccba4dfd0f6ae6559d49f85bfbdb94560dc321cd09defa7d1278773cf
SHA512

f41d95d145739bc6688e04591db864c2e78cada2570d05364bdf3289fb466ce734dbb419662e3c8cae4b73f0da7113c7782a6a415791b7b1d8e3db0996680ad0

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

148.251.48.16:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2116-118-0x0000000000E70000-0x0000000000FC4000-memory.dmp	warzonerat
behavioral2/memory/2116-119-0x0000000000E75CE2-mapping.dmp	warzonerat
behavioral2/memory/2116-121-0x0000000000E70000-0x0000000000FC4000-memory.dmp	warzonerat
behavioral2/memory/2116-126-0x0000000000E70000-0x0000000000FC4000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

COM Register.exeCOM Register.exe

pid process

3876 COM Register.exe
2116 COM Register.exe

pid	process
3876	COM Register.exe
2116	COM Register.exe

Drops startup file 1 IoCs

Processes:

SecuriteInfo.com.Trojan.Packed.24465.12290.29943.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\flop.vbs	SecuriteInfo.com.Trojan.Packed.24465.12290.29943.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

COM Register.exe

description pid process target process

PID 3876 set thread context of 2116 3876 COM Register.exe COM Register.exe

description	pid	process	target process
PID 3876 set thread context of 2116	3876	COM Register.exe	COM Register.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

SecuriteInfo.com.Trojan.Packed.24465.12290.29943.execmd.exeCOM Register.exe

description	pid	process	target process
PID 640 wrote to memory of 2088	640	SecuriteInfo.com.Trojan.Packed.24465.12290.29943.exe	cmd.exe
PID 640 wrote to memory of 2088	640	SecuriteInfo.com.Trojan.Packed.24465.12290.29943.exe	cmd.exe
PID 640 wrote to memory of 2088	640	SecuriteInfo.com.Trojan.Packed.24465.12290.29943.exe	cmd.exe
PID 2088 wrote to memory of 3876	2088	cmd.exe	COM Register.exe
PID 2088 wrote to memory of 3876	2088	cmd.exe	COM Register.exe
PID 2088 wrote to memory of 3876	2088	cmd.exe	COM Register.exe
PID 3876 wrote to memory of 2116	3876	COM Register.exe	COM Register.exe
PID 3876 wrote to memory of 2116	3876	COM Register.exe	COM Register.exe
PID 3876 wrote to memory of 2116	3876	COM Register.exe	COM Register.exe
PID 3876 wrote to memory of 2116	3876	COM Register.exe	COM Register.exe
PID 3876 wrote to memory of 2116	3876	COM Register.exe	COM Register.exe
PID 3876 wrote to memory of 2116	3876	COM Register.exe	COM Register.exe
PID 3876 wrote to memory of 2116	3876	COM Register.exe	COM Register.exe
PID 3876 wrote to memory of 2116	3876	COM Register.exe	COM Register.exe
PID 3876 wrote to memory of 2116	3876	COM Register.exe	COM Register.exe
PID 3876 wrote to memory of 2116	3876	COM Register.exe	COM Register.exe
PID 3876 wrote to memory of 2116	3876	COM Register.exe	COM Register.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed.24465.12290.29943.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed.24465.12290.29943.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\COM Register.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Users\Admin\AppData\Local\COM Register.exe
"C:\Users\Admin\AppData\Local\COM Register.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3876

C:\Users\Admin\AppData\Local\COM Register.exe
"C:\Users\Admin\AppData\Local\COM Register.exe"
4⤵
- Executes dropped EXE
PID:2116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\COM Register.exe
MD5
84316bd8a6b69472115faadfc446253f

SHA1
03c9c3263f71654173e55c7074434a75f487f2b7

SHA256
6d33f52ccba4dfd0f6ae6559d49f85bfbdb94560dc321cd09defa7d1278773cf

SHA512
f41d95d145739bc6688e04591db864c2e78cada2570d05364bdf3289fb466ce734dbb419662e3c8cae4b73f0da7113c7782a6a415791b7b1d8e3db0996680ad0

Download Submit
C:\Users\Admin\AppData\Local\COM Register.exe
MD5
84316bd8a6b69472115faadfc446253f

SHA1
03c9c3263f71654173e55c7074434a75f487f2b7

SHA256
6d33f52ccba4dfd0f6ae6559d49f85bfbdb94560dc321cd09defa7d1278773cf

SHA512
f41d95d145739bc6688e04591db864c2e78cada2570d05364bdf3289fb466ce734dbb419662e3c8cae4b73f0da7113c7782a6a415791b7b1d8e3db0996680ad0

Download Submit
C:\Users\Admin\AppData\Local\COM Register.exe
MD5
84316bd8a6b69472115faadfc446253f

SHA1
03c9c3263f71654173e55c7074434a75f487f2b7

SHA256
6d33f52ccba4dfd0f6ae6559d49f85bfbdb94560dc321cd09defa7d1278773cf

SHA512
f41d95d145739bc6688e04591db864c2e78cada2570d05364bdf3289fb466ce734dbb419662e3c8cae4b73f0da7113c7782a6a415791b7b1d8e3db0996680ad0

Download Submit
memory/2088-114-0x0000000000000000-mapping.dmp

Download
memory/2116-118-0x0000000000E70000-0x0000000000FC4000-memory.dmp

Filesize
1.3MB

Download
memory/2116-119-0x0000000000E75CE2-mapping.dmp

Download
memory/2116-121-0x0000000000E70000-0x0000000000FC4000-memory.dmp

Filesize
1.3MB

Download
memory/2116-126-0x0000000000E70000-0x0000000000FC4000-memory.dmp

Filesize
1.3MB

Download
memory/3876-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads