warzonerat | 438be9e574213e71135a3bd5cc2ad983287579287432d64559ea40a32823bb82 | Triage

Analysis

max time kernel
152s
max time network
18s
platform
windows7_x64
resource
win7v20210410
submitted
28-05-2021 17:37

Sharing

Report Analysis Logs

General

Target

cedbf0cf_extracted.exe
Size

101KB
MD5

8f0e82e303487711e319cc9ece505520
SHA1

8cb59f8be0e1a0be7e95aabdf7dc32b979d9c307
SHA256

438be9e574213e71135a3bd5cc2ad983287579287432d64559ea40a32823bb82
SHA512

78667fa6702e06c8e16a5e767006a2a2daa12fdd60363fa15ca85d18efa1668bcc7d70b3ed0c87a6480a4153bcec3879f656e41028e3c6e58901955a35a95750

Score

10^/10

warzonerat infostealer rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cedbf0cf_extracted.exe

description	pid	process	target process
PID 1052 wrote to memory of 1680	1052	cedbf0cf_extracted.exe	cmd.exe
PID 1052 wrote to memory of 1680	1052	cedbf0cf_extracted.exe	cmd.exe
PID 1052 wrote to memory of 1680	1052	cedbf0cf_extracted.exe	cmd.exe
PID 1052 wrote to memory of 1680	1052	cedbf0cf_extracted.exe	cmd.exe
PID 1052 wrote to memory of 1680	1052	cedbf0cf_extracted.exe	cmd.exe
PID 1052 wrote to memory of 1680	1052	cedbf0cf_extracted.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\cedbf0cf_extracted.exe
"C:\Users\Admin\AppData\Local\Temp\cedbf0cf_extracted.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1052-60-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1680-61-0x0000000000000000-mapping.dmp

Download