warzonerat | fbceecb919805bf25f79b60685f86e29ea203a8be4629853a0e717b43f09016e | Triage

Analysis

max time kernel
148s
max time network
18s
platform
windows7_x64
resource
win7v20210410
submitted
28-05-2021 17:37

Sharing

Report Analysis Logs

General

Target

4412eb1d_extracted.exe
Size

101KB
MD5

dc57435c2506f48097817fb36035c376
SHA1

de6f7a47ddebf15527e55a0f423f6adf752b79b8
SHA256

fbceecb919805bf25f79b60685f86e29ea203a8be4629853a0e717b43f09016e
SHA512

68c2bddd252f6bf8a7c3dbbd135a1858824b4adabb642f3e663defd6c0833cbff26b77dbf4d772fb50ef4e0f606913f860a4b697fb66e6b637c578ba47722ec6

Score

10^/10

warzonerat infostealer rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4412eb1d_extracted.exe

description	pid	process	target process
PID 788 wrote to memory of 1228	788	4412eb1d_extracted.exe	cmd.exe
PID 788 wrote to memory of 1228	788	4412eb1d_extracted.exe	cmd.exe
PID 788 wrote to memory of 1228	788	4412eb1d_extracted.exe	cmd.exe
PID 788 wrote to memory of 1228	788	4412eb1d_extracted.exe	cmd.exe
PID 788 wrote to memory of 1228	788	4412eb1d_extracted.exe	cmd.exe
PID 788 wrote to memory of 1228	788	4412eb1d_extracted.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4412eb1d_extracted.exe
"C:\Users\Admin\AppData\Local\Temp\4412eb1d_extracted.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:788
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/788-60-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1228-61-0x0000000000000000-mapping.dmp

Download