warzonerat | 5c8ba98576d72f725ac03c6a79f3fbb39cd7ba65c54402e80af1d2d1f12c4d2a

Analysis

Target

New order_doc.exe
Size

959KB
MD5

4f725e7f05311c224ef49498892ba553
SHA1

49e95d8a392adff32361c96dce3db138ec7764f9
SHA256

76dd27ef96d337d45cfbc7585846d998f6b0f0a3c89255a9329862877432e098
SHA512

c7654e8392209773d534a20d73e0c148511ea164c82d1dc63e752bf4e02883a0b137d5d73e465a9164cfb4f13ee50579907cb45cbc6cb16c47dd2a390bd265df

Score

10^/10

Family

warzonerat

hongphilxxx.duckdns.org:65535

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1204-121-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

New order_doc.exe

description	pid	process	target process
PID 744 wrote to memory of 1204	744	New order_doc.exe	DpiScaling.exe
PID 744 wrote to memory of 1204	744	New order_doc.exe	DpiScaling.exe
PID 744 wrote to memory of 1204	744	New order_doc.exe	DpiScaling.exe
PID 744 wrote to memory of 1204	744	New order_doc.exe	DpiScaling.exe
PID 744 wrote to memory of 1204	744	New order_doc.exe	DpiScaling.exe
PID 744 wrote to memory of 1204	744	New order_doc.exe	DpiScaling.exe
PID 744 wrote to memory of 1204	744	New order_doc.exe	DpiScaling.exe
PID 744 wrote to memory of 1204	744	New order_doc.exe	DpiScaling.exe
PID 744 wrote to memory of 1204	744	New order_doc.exe	DpiScaling.exe
PID 744 wrote to memory of 1204	744	New order_doc.exe	DpiScaling.exe
PID 744 wrote to memory of 1204	744	New order_doc.exe	DpiScaling.exe
PID 744 wrote to memory of 1204	744	New order_doc.exe	DpiScaling.exe
PID 744 wrote to memory of 1204	744	New order_doc.exe	DpiScaling.exe
PID 744 wrote to memory of 1204	744	New order_doc.exe	DpiScaling.exe
PID 744 wrote to memory of 1204	744	New order_doc.exe	DpiScaling.exe

C:\Users\Admin\AppData\Local\Temp\New order_doc.exe
"C:\Users\Admin\AppData\Local\Temp\New order_doc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:744
- C:\Windows\SysWOW64\DpiScaling.exe
  C:\Windows\System32\DpiScaling.exe
  2⤵
  PID:1204

memory/744-114-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/1204-115-0x0000000000000000-mapping.dmp

Download
memory/1204-116-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1204-119-0x0000000010670000-0x00000000107C6000-memory.dmp

Filesize
1.3MB

Download
memory/1204-118-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/1204-120-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/1204-121-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download