warzonerat | 71a23392365192b43b1689b784e7bf7561ad95c6aa0432e6c4635e17e63b1b9d

General

Target

SecuriteInfo.com.Trojan.Packed.24465.2847.19588.exe
Size

128KB
MD5

811cba52862a62af61525f6d4c6ba768
SHA1

aa40b02a08223dcf34080757726d257156ecced9
SHA256

71a23392365192b43b1689b784e7bf7561ad95c6aa0432e6c4635e17e63b1b9d
SHA512

005882b4ede5c9cf9bf9a22514e0f3e5a0ff02f5e6bf680248449c34dfeca2383520781ff6a3198e27fb68e18520086bf3cc736bc75961bde0be0fc4cd1fd087

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

148.251.48.16:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2280-118-0x0000000000700000-0x0000000000854000-memory.dmp	warzonerat
behavioral2/memory/2280-119-0x0000000000705CE2-mapping.dmp	warzonerat
behavioral2/memory/2280-121-0x0000000000700000-0x0000000000854000-memory.dmp	warzonerat
behavioral2/memory/2280-126-0x0000000000700000-0x0000000000854000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

COM Register.exeCOM Register.exe

pid process

3584 COM Register.exe
2280 COM Register.exe

pid	process
3584	COM Register.exe
2280	COM Register.exe

Drops startup file 1 IoCs

Processes:

SecuriteInfo.com.Trojan.Packed.24465.2847.19588.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.vbs	SecuriteInfo.com.Trojan.Packed.24465.2847.19588.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

COM Register.exe

description pid process target process

PID 3584 set thread context of 2280 3584 COM Register.exe COM Register.exe

description	pid	process	target process
PID 3584 set thread context of 2280	3584	COM Register.exe	COM Register.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

SecuriteInfo.com.Trojan.Packed.24465.2847.19588.execmd.exeCOM Register.exe

description	pid	process	target process
PID 3016 wrote to memory of 2488	3016	SecuriteInfo.com.Trojan.Packed.24465.2847.19588.exe	cmd.exe
PID 3016 wrote to memory of 2488	3016	SecuriteInfo.com.Trojan.Packed.24465.2847.19588.exe	cmd.exe
PID 3016 wrote to memory of 2488	3016	SecuriteInfo.com.Trojan.Packed.24465.2847.19588.exe	cmd.exe
PID 2488 wrote to memory of 3584	2488	cmd.exe	COM Register.exe
PID 2488 wrote to memory of 3584	2488	cmd.exe	COM Register.exe
PID 2488 wrote to memory of 3584	2488	cmd.exe	COM Register.exe
PID 3584 wrote to memory of 2280	3584	COM Register.exe	COM Register.exe
PID 3584 wrote to memory of 2280	3584	COM Register.exe	COM Register.exe
PID 3584 wrote to memory of 2280	3584	COM Register.exe	COM Register.exe
PID 3584 wrote to memory of 2280	3584	COM Register.exe	COM Register.exe
PID 3584 wrote to memory of 2280	3584	COM Register.exe	COM Register.exe
PID 3584 wrote to memory of 2280	3584	COM Register.exe	COM Register.exe
PID 3584 wrote to memory of 2280	3584	COM Register.exe	COM Register.exe
PID 3584 wrote to memory of 2280	3584	COM Register.exe	COM Register.exe
PID 3584 wrote to memory of 2280	3584	COM Register.exe	COM Register.exe
PID 3584 wrote to memory of 2280	3584	COM Register.exe	COM Register.exe
PID 3584 wrote to memory of 2280	3584	COM Register.exe	COM Register.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed.24465.2847.19588.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed.24465.2847.19588.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\COM Register.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2488

C:\Users\Admin\AppData\Local\COM Register.exe
"C:\Users\Admin\AppData\Local\COM Register.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3584

C:\Users\Admin\AppData\Local\COM Register.exe
"C:\Users\Admin\AppData\Local\COM Register.exe"
4⤵
- Executes dropped EXE
PID:2280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\COM Register.exe
MD5
811cba52862a62af61525f6d4c6ba768

SHA1
aa40b02a08223dcf34080757726d257156ecced9

SHA256
71a23392365192b43b1689b784e7bf7561ad95c6aa0432e6c4635e17e63b1b9d

SHA512
005882b4ede5c9cf9bf9a22514e0f3e5a0ff02f5e6bf680248449c34dfeca2383520781ff6a3198e27fb68e18520086bf3cc736bc75961bde0be0fc4cd1fd087

Download Submit
C:\Users\Admin\AppData\Local\COM Register.exe
MD5
811cba52862a62af61525f6d4c6ba768

SHA1
aa40b02a08223dcf34080757726d257156ecced9

SHA256
71a23392365192b43b1689b784e7bf7561ad95c6aa0432e6c4635e17e63b1b9d

SHA512
005882b4ede5c9cf9bf9a22514e0f3e5a0ff02f5e6bf680248449c34dfeca2383520781ff6a3198e27fb68e18520086bf3cc736bc75961bde0be0fc4cd1fd087

Download Submit
C:\Users\Admin\AppData\Local\COM Register.exe
MD5
811cba52862a62af61525f6d4c6ba768

SHA1
aa40b02a08223dcf34080757726d257156ecced9

SHA256
71a23392365192b43b1689b784e7bf7561ad95c6aa0432e6c4635e17e63b1b9d

SHA512
005882b4ede5c9cf9bf9a22514e0f3e5a0ff02f5e6bf680248449c34dfeca2383520781ff6a3198e27fb68e18520086bf3cc736bc75961bde0be0fc4cd1fd087

Download Submit
memory/2280-118-0x0000000000700000-0x0000000000854000-memory.dmp

Filesize
1.3MB

Download
memory/2280-119-0x0000000000705CE2-mapping.dmp

Download
memory/2280-121-0x0000000000700000-0x0000000000854000-memory.dmp

Filesize
1.3MB

Download
memory/2280-126-0x0000000000700000-0x0000000000854000-memory.dmp

Filesize
1.3MB

Download
memory/2488-114-0x0000000000000000-mapping.dmp

Download
memory/3584-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads