warzonerat | 872ac5743d339a60af70e0b933a15c4c68f5e40b168c3b5ef444cf280673ee42

General

Target

SecuriteInfo.com.Trojan.Packed.24465.17731.23605.exe
Size

128KB
MD5

5c09522de5f3253871d318ba84094b2e
SHA1

c783db9c74006be5933fa057f2ff532b60392b94
SHA256

872ac5743d339a60af70e0b933a15c4c68f5e40b168c3b5ef444cf280673ee42
SHA512

e850c6daaa4809a8204c3f5a346a2ba89477048e0458de040f516d8e4506101ff04f43400e6daf8f7d1fa249f92e1bdd79448232d78b254b1845223413dd4f4c

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

148.251.48.16:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1276-119-0x0000000000705CE2-mapping.dmp	warzonerat
behavioral2/memory/1276-118-0x0000000000700000-0x0000000000854000-memory.dmp	warzonerat
behavioral2/memory/1276-121-0x0000000000700000-0x0000000000854000-memory.dmp	warzonerat
behavioral2/memory/1276-126-0x0000000000700000-0x0000000000854000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

COM Register.exeCOM Register.exe

pid process

2656 COM Register.exe
1276 COM Register.exe

pid	process
2656	COM Register.exe
1276	COM Register.exe

Drops startup file 1 IoCs

Processes:

SecuriteInfo.com.Trojan.Packed.24465.17731.23605.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.vbs	SecuriteInfo.com.Trojan.Packed.24465.17731.23605.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

COM Register.exe

description pid process target process

PID 2656 set thread context of 1276 2656 COM Register.exe COM Register.exe

description	pid	process	target process
PID 2656 set thread context of 1276	2656	COM Register.exe	COM Register.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

SecuriteInfo.com.Trojan.Packed.24465.17731.23605.execmd.exeCOM Register.exe

description	pid	process	target process
PID 2228 wrote to memory of 2464	2228	SecuriteInfo.com.Trojan.Packed.24465.17731.23605.exe	cmd.exe
PID 2228 wrote to memory of 2464	2228	SecuriteInfo.com.Trojan.Packed.24465.17731.23605.exe	cmd.exe
PID 2228 wrote to memory of 2464	2228	SecuriteInfo.com.Trojan.Packed.24465.17731.23605.exe	cmd.exe
PID 2464 wrote to memory of 2656	2464	cmd.exe	COM Register.exe
PID 2464 wrote to memory of 2656	2464	cmd.exe	COM Register.exe
PID 2464 wrote to memory of 2656	2464	cmd.exe	COM Register.exe
PID 2656 wrote to memory of 1276	2656	COM Register.exe	COM Register.exe
PID 2656 wrote to memory of 1276	2656	COM Register.exe	COM Register.exe
PID 2656 wrote to memory of 1276	2656	COM Register.exe	COM Register.exe
PID 2656 wrote to memory of 1276	2656	COM Register.exe	COM Register.exe
PID 2656 wrote to memory of 1276	2656	COM Register.exe	COM Register.exe
PID 2656 wrote to memory of 1276	2656	COM Register.exe	COM Register.exe
PID 2656 wrote to memory of 1276	2656	COM Register.exe	COM Register.exe
PID 2656 wrote to memory of 1276	2656	COM Register.exe	COM Register.exe
PID 2656 wrote to memory of 1276	2656	COM Register.exe	COM Register.exe
PID 2656 wrote to memory of 1276	2656	COM Register.exe	COM Register.exe
PID 2656 wrote to memory of 1276	2656	COM Register.exe	COM Register.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed.24465.17731.23605.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed.24465.17731.23605.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\COM Register.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2464

C:\Users\Admin\AppData\Local\COM Register.exe
"C:\Users\Admin\AppData\Local\COM Register.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2656

C:\Users\Admin\AppData\Local\COM Register.exe
"C:\Users\Admin\AppData\Local\COM Register.exe"
4⤵
- Executes dropped EXE
PID:1276

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\COM Register.exe
MD5
5c09522de5f3253871d318ba84094b2e

SHA1
c783db9c74006be5933fa057f2ff532b60392b94

SHA256
872ac5743d339a60af70e0b933a15c4c68f5e40b168c3b5ef444cf280673ee42

SHA512
e850c6daaa4809a8204c3f5a346a2ba89477048e0458de040f516d8e4506101ff04f43400e6daf8f7d1fa249f92e1bdd79448232d78b254b1845223413dd4f4c

Download Submit
C:\Users\Admin\AppData\Local\COM Register.exe
MD5
5c09522de5f3253871d318ba84094b2e

SHA1
c783db9c74006be5933fa057f2ff532b60392b94

SHA256
872ac5743d339a60af70e0b933a15c4c68f5e40b168c3b5ef444cf280673ee42

SHA512
e850c6daaa4809a8204c3f5a346a2ba89477048e0458de040f516d8e4506101ff04f43400e6daf8f7d1fa249f92e1bdd79448232d78b254b1845223413dd4f4c

Download Submit
C:\Users\Admin\AppData\Local\COM Register.exe
MD5
5c09522de5f3253871d318ba84094b2e

SHA1
c783db9c74006be5933fa057f2ff532b60392b94

SHA256
872ac5743d339a60af70e0b933a15c4c68f5e40b168c3b5ef444cf280673ee42

SHA512
e850c6daaa4809a8204c3f5a346a2ba89477048e0458de040f516d8e4506101ff04f43400e6daf8f7d1fa249f92e1bdd79448232d78b254b1845223413dd4f4c

Download Submit
memory/1276-119-0x0000000000705CE2-mapping.dmp

Download
memory/1276-118-0x0000000000700000-0x0000000000854000-memory.dmp

Filesize
1.3MB

Download
memory/1276-121-0x0000000000700000-0x0000000000854000-memory.dmp

Filesize
1.3MB

Download
memory/1276-126-0x0000000000700000-0x0000000000854000-memory.dmp

Filesize
1.3MB

Download
memory/2464-114-0x0000000000000000-mapping.dmp

Download
memory/2656-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads