warzonerat | 76dd27ef96d337d45cfbc7585846d998f6b0f0a3c89255a9329862877432e098

Analysis

Target

New order_doc.exe
Size

959KB
MD5

4f725e7f05311c224ef49498892ba553
SHA1

49e95d8a392adff32361c96dce3db138ec7764f9
SHA256

76dd27ef96d337d45cfbc7585846d998f6b0f0a3c89255a9329862877432e098
SHA512

c7654e8392209773d534a20d73e0c148511ea164c82d1dc63e752bf4e02883a0b137d5d73e465a9164cfb4f13ee50579907cb45cbc6cb16c47dd2a390bd265df

Score

10^/10

Family

warzonerat

hongphilxxx.duckdns.org:65535

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2904-121-0x0000000004AE0000-0x0000000004C34000-memory.dmp	warzonerat

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

New order_doc.exe

description	pid	process	target process
PID 4024 wrote to memory of 2904	4024	New order_doc.exe	ieinstal.exe
PID 4024 wrote to memory of 2904	4024	New order_doc.exe	ieinstal.exe
PID 4024 wrote to memory of 2904	4024	New order_doc.exe	ieinstal.exe
PID 4024 wrote to memory of 2904	4024	New order_doc.exe	ieinstal.exe
PID 4024 wrote to memory of 2904	4024	New order_doc.exe	ieinstal.exe
PID 4024 wrote to memory of 2904	4024	New order_doc.exe	ieinstal.exe
PID 4024 wrote to memory of 2904	4024	New order_doc.exe	ieinstal.exe
PID 4024 wrote to memory of 2904	4024	New order_doc.exe	ieinstal.exe
PID 4024 wrote to memory of 2904	4024	New order_doc.exe	ieinstal.exe
PID 4024 wrote to memory of 2904	4024	New order_doc.exe	ieinstal.exe
PID 4024 wrote to memory of 2904	4024	New order_doc.exe	ieinstal.exe
PID 4024 wrote to memory of 2904	4024	New order_doc.exe	ieinstal.exe
PID 4024 wrote to memory of 2904	4024	New order_doc.exe	ieinstal.exe
PID 4024 wrote to memory of 2904	4024	New order_doc.exe	ieinstal.exe
PID 4024 wrote to memory of 2904	4024	New order_doc.exe	ieinstal.exe

C:\Users\Admin\AppData\Local\Temp\New order_doc.exe
"C:\Users\Admin\AppData\Local\Temp\New order_doc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Program Files (x86)\internet explorer\ieinstal.exe
  "C:\Program Files (x86)\internet explorer\ieinstal.exe"
  2⤵
  PID:2904

memory/2904-115-0x0000000000000000-mapping.dmp

Download
memory/2904-117-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/2904-116-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/2904-119-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/2904-121-0x0000000004AE0000-0x0000000004C34000-memory.dmp

Filesize
1.3MB

Download
memory/2904-120-0x0000000010670000-0x00000000107C6000-memory.dmp

Filesize
1.3MB

Download
memory/4024-114-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download