warzonerat | f4be91d5771599ee3f80dd26990d324c291e4b327db563c15379b09ffa79eadb

General

Target

Purchase Orders - Foreign_000000000088707.exe
Size

449KB
MD5

ebfe963401c01212c017ba9281bfcbc3
SHA1

51eda08a4839939950fb904c45fbc0ea1ff2ab5a
SHA256

f4be91d5771599ee3f80dd26990d324c291e4b327db563c15379b09ffa79eadb
SHA512

1f076d5f8c94b89a9568771ef57539c4ae1bfad1b47c2f69354495c177ff030060b663951dc139a0ca78436977e8c72ddebe2d9f94fc68a4648e018942e4c4b9

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

157.55.136.23:5300

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4156-126-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/4156-127-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral2/memory/4156-128-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Downloads MZ/PE file

Suspicious use of SetThreadContext 1 IoCs

Processes:

Purchase Orders - Foreign_000000000088707.exe

description	pid	process	target process
PID 4444 set thread context of 4156	4444	Purchase Orders - Foreign_000000000088707.exe	Purchase Orders - Foreign_000000000088707.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Purchase Orders - Foreign_000000000088707.exe

pid	process
4444	Purchase Orders - Foreign_000000000088707.exe
4444	Purchase Orders - Foreign_000000000088707.exe
4444	Purchase Orders - Foreign_000000000088707.exe
4444	Purchase Orders - Foreign_000000000088707.exe
4444	Purchase Orders - Foreign_000000000088707.exe
4444	Purchase Orders - Foreign_000000000088707.exe
4444	Purchase Orders - Foreign_000000000088707.exe
4444	Purchase Orders - Foreign_000000000088707.exe
4444	Purchase Orders - Foreign_000000000088707.exe
4444	Purchase Orders - Foreign_000000000088707.exe
4444	Purchase Orders - Foreign_000000000088707.exe
4444	Purchase Orders - Foreign_000000000088707.exe
4444	Purchase Orders - Foreign_000000000088707.exe
4444	Purchase Orders - Foreign_000000000088707.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Purchase Orders - Foreign_000000000088707.exe

description pid process

Token: SeDebugPrivilege 4444 Purchase Orders - Foreign_000000000088707.exe

description	pid	process
Token: SeDebugPrivilege	4444	Purchase Orders - Foreign_000000000088707.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Purchase Orders - Foreign_000000000088707.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Orders - Foreign_000000000088707.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Orders - Foreign_000000000088707.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Users\Admin\AppData\Local\Temp\Purchase Orders - Foreign_000000000088707.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Orders - Foreign_000000000088707.exe"
  2⤵
  PID:4208
- C:\Users\Admin\AppData\Local\Temp\Purchase Orders - Foreign_000000000088707.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Orders - Foreign_000000000088707.exe"
  2⤵
  PID:4220
- C:\Users\Admin\AppData\Local\Temp\Purchase Orders - Foreign_000000000088707.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Orders - Foreign_000000000088707.exe"
  2⤵
  PID:4196
- C:\Users\Admin\AppData\Local\Temp\Purchase Orders - Foreign_000000000088707.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Orders - Foreign_000000000088707.exe"
  2⤵
  PID:4156

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4156-126-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4156-127-0x0000000000405CE2-mapping.dmp

Download
memory/4156-128-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4444-114-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4444-116-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/4444-117-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4444-122-0x0000000006160000-0x00000000061AD000-memory.dmp

Filesize
308KB

Download
memory/4444-125-0x0000000006630000-0x0000000006631000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 4444 wrote to memory of 4208	4444	Purchase Orders - Foreign_000000000088707.exe	Purchase Orders - Foreign_000000000088707.exe
PID 4444 wrote to memory of 4208	4444	Purchase Orders - Foreign_000000000088707.exe	Purchase Orders - Foreign_000000000088707.exe
PID 4444 wrote to memory of 4208	4444	Purchase Orders - Foreign_000000000088707.exe	Purchase Orders - Foreign_000000000088707.exe
PID 4444 wrote to memory of 4220	4444	Purchase Orders - Foreign_000000000088707.exe	Purchase Orders - Foreign_000000000088707.exe
PID 4444 wrote to memory of 4220	4444	Purchase Orders - Foreign_000000000088707.exe	Purchase Orders - Foreign_000000000088707.exe
PID 4444 wrote to memory of 4220	4444	Purchase Orders - Foreign_000000000088707.exe	Purchase Orders - Foreign_000000000088707.exe
PID 4444 wrote to memory of 4196	4444	Purchase Orders - Foreign_000000000088707.exe	Purchase Orders - Foreign_000000000088707.exe
PID 4444 wrote to memory of 4196	4444	Purchase Orders - Foreign_000000000088707.exe	Purchase Orders - Foreign_000000000088707.exe
PID 4444 wrote to memory of 4196	4444	Purchase Orders - Foreign_000000000088707.exe	Purchase Orders - Foreign_000000000088707.exe
PID 4444 wrote to memory of 4156	4444	Purchase Orders - Foreign_000000000088707.exe	Purchase Orders - Foreign_000000000088707.exe
PID 4444 wrote to memory of 4156	4444	Purchase Orders - Foreign_000000000088707.exe	Purchase Orders - Foreign_000000000088707.exe
PID 4444 wrote to memory of 4156	4444	Purchase Orders - Foreign_000000000088707.exe	Purchase Orders - Foreign_000000000088707.exe
PID 4444 wrote to memory of 4156	4444	Purchase Orders - Foreign_000000000088707.exe	Purchase Orders - Foreign_000000000088707.exe
PID 4444 wrote to memory of 4156	4444	Purchase Orders - Foreign_000000000088707.exe	Purchase Orders - Foreign_000000000088707.exe
PID 4444 wrote to memory of 4156	4444	Purchase Orders - Foreign_000000000088707.exe	Purchase Orders - Foreign_000000000088707.exe
PID 4444 wrote to memory of 4156	4444	Purchase Orders - Foreign_000000000088707.exe	Purchase Orders - Foreign_000000000088707.exe
PID 4444 wrote to memory of 4156	4444	Purchase Orders - Foreign_000000000088707.exe	Purchase Orders - Foreign_000000000088707.exe
PID 4444 wrote to memory of 4156	4444	Purchase Orders - Foreign_000000000088707.exe	Purchase Orders - Foreign_000000000088707.exe
PID 4444 wrote to memory of 4156	4444	Purchase Orders - Foreign_000000000088707.exe	Purchase Orders - Foreign_000000000088707.exe
PID 4444 wrote to memory of 4156	4444	Purchase Orders - Foreign_000000000088707.exe	Purchase Orders - Foreign_000000000088707.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads