warzonerat | fbceecb919805bf25f79b60685f86e29ea203a8be4629853a0e717b43f09016e | Triage

Analysis

max time kernel
142s
max time network
157s
platform
windows10_x64
resource
win10v20210408
submitted
28-05-2021 17:37

Sharing

Report Analysis Logs

General

Target

4412eb1d_extracted.exe
Size

101KB
MD5

dc57435c2506f48097817fb36035c376
SHA1

de6f7a47ddebf15527e55a0f423f6adf752b79b8
SHA256

fbceecb919805bf25f79b60685f86e29ea203a8be4629853a0e717b43f09016e
SHA512

68c2bddd252f6bf8a7c3dbbd135a1858824b4adabb642f3e663defd6c0833cbff26b77dbf4d772fb50ef4e0f606913f860a4b697fb66e6b637c578ba47722ec6

Score

10^/10

warzonerat infostealer rat

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

4412eb1d_extracted.exe

description	pid	process	target process
PID 424 wrote to memory of 1492	424	4412eb1d_extracted.exe	cmd.exe
PID 424 wrote to memory of 1492	424	4412eb1d_extracted.exe	cmd.exe
PID 424 wrote to memory of 1492	424	4412eb1d_extracted.exe	cmd.exe
PID 424 wrote to memory of 1492	424	4412eb1d_extracted.exe	cmd.exe
PID 424 wrote to memory of 1492	424	4412eb1d_extracted.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4412eb1d_extracted.exe
"C:\Users\Admin\AppData\Local\Temp\4412eb1d_extracted.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1492-114-0x0000000000000000-mapping.dmp

Download