warzonerat | 99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

General

Target

e6b478f5fc73dc7318854399abf505e3.exe
Size

908KB
MD5

e6b478f5fc73dc7318854399abf505e3
SHA1

802fb03026a04b4027c3ff7fdf521d08195f8163
SHA256

99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b
SHA512

9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

byx.z86.ru:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Executes dropped EXE 6 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid process

652 svchost.exe
1636 svchost.exe
1312 svchost.exe
580 svchost.exe
1000 svchost.exe
1448 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

e6b478f5fc73dc7318854399abf505e3.exe

pid process

944 e6b478f5fc73dc7318854399abf505e3.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

e6b478f5fc73dc7318854399abf505e3.exe

description pid process target process

PID 604 set thread context of 944 604 e6b478f5fc73dc7318854399abf505e3.exe e6b478f5fc73dc7318854399abf505e3.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

svchost.exe

pid process

652 svchost.exe
652 svchost.exe
652 svchost.exe
652 svchost.exe
652 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 652 svchost.exe

pid	process
652	svchost.exe
1636	svchost.exe
1312	svchost.exe
580	svchost.exe
1000	svchost.exe
1448	svchost.exe

pid	process
944	e6b478f5fc73dc7318854399abf505e3.exe

description	pid	process	target process
PID 604 set thread context of 944	604	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe

pid	process
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe
652	svchost.exe

description	pid	process
Token: SeDebugPrivilege	652	svchost.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

e6b478f5fc73dc7318854399abf505e3.exee6b478f5fc73dc7318854399abf505e3.execmd.exesvchost.exe

description	pid	process	target process
PID 604 wrote to memory of 944	604	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 604 wrote to memory of 944	604	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 604 wrote to memory of 944	604	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 604 wrote to memory of 944	604	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 604 wrote to memory of 944	604	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 604 wrote to memory of 944	604	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 604 wrote to memory of 944	604	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 604 wrote to memory of 944	604	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 604 wrote to memory of 944	604	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 604 wrote to memory of 944	604	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 604 wrote to memory of 944	604	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 944 wrote to memory of 624	944	e6b478f5fc73dc7318854399abf505e3.exe	cmd.exe
PID 944 wrote to memory of 624	944	e6b478f5fc73dc7318854399abf505e3.exe	cmd.exe
PID 944 wrote to memory of 624	944	e6b478f5fc73dc7318854399abf505e3.exe	cmd.exe
PID 944 wrote to memory of 624	944	e6b478f5fc73dc7318854399abf505e3.exe	cmd.exe
PID 944 wrote to memory of 652	944	e6b478f5fc73dc7318854399abf505e3.exe	svchost.exe
PID 944 wrote to memory of 652	944	e6b478f5fc73dc7318854399abf505e3.exe	svchost.exe
PID 944 wrote to memory of 652	944	e6b478f5fc73dc7318854399abf505e3.exe	svchost.exe
PID 944 wrote to memory of 652	944	e6b478f5fc73dc7318854399abf505e3.exe	svchost.exe
PID 624 wrote to memory of 784	624	cmd.exe	reg.exe
PID 624 wrote to memory of 784	624	cmd.exe	reg.exe
PID 624 wrote to memory of 784	624	cmd.exe	reg.exe
PID 624 wrote to memory of 784	624	cmd.exe	reg.exe
PID 652 wrote to memory of 1636	652	svchost.exe	svchost.exe
PID 652 wrote to memory of 1636	652	svchost.exe	svchost.exe
PID 652 wrote to memory of 1636	652	svchost.exe	svchost.exe
PID 652 wrote to memory of 1636	652	svchost.exe	svchost.exe
PID 652 wrote to memory of 1312	652	svchost.exe	svchost.exe
PID 652 wrote to memory of 1312	652	svchost.exe	svchost.exe
PID 652 wrote to memory of 1312	652	svchost.exe	svchost.exe
PID 652 wrote to memory of 1312	652	svchost.exe	svchost.exe
PID 652 wrote to memory of 580	652	svchost.exe	svchost.exe
PID 652 wrote to memory of 580	652	svchost.exe	svchost.exe
PID 652 wrote to memory of 580	652	svchost.exe	svchost.exe
PID 652 wrote to memory of 580	652	svchost.exe	svchost.exe
PID 652 wrote to memory of 1000	652	svchost.exe	svchost.exe
PID 652 wrote to memory of 1000	652	svchost.exe	svchost.exe
PID 652 wrote to memory of 1000	652	svchost.exe	svchost.exe
PID 652 wrote to memory of 1000	652	svchost.exe	svchost.exe
PID 652 wrote to memory of 1448	652	svchost.exe	svchost.exe
PID 652 wrote to memory of 1448	652	svchost.exe	svchost.exe
PID 652 wrote to memory of 1448	652	svchost.exe	svchost.exe
PID 652 wrote to memory of 1448	652	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\e6b478f5fc73dc7318854399abf505e3.exe
"C:\Users\Admin\AppData\Local\Temp\e6b478f5fc73dc7318854399abf505e3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:604

C:\Users\Admin\AppData\Local\Temp\e6b478f5fc73dc7318854399abf505e3.exe
"{path}"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
4⤵
PID:784

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652

C:\ProgramData\svchost.exe
"{path}"
4⤵
- Executes dropped EXE
PID:1636

C:\ProgramData\svchost.exe
"{path}"
4⤵
- Executes dropped EXE
PID:580

C:\ProgramData\svchost.exe
"{path}"
4⤵
- Executes dropped EXE
PID:1312

C:\ProgramData\svchost.exe
"{path}"
4⤵
- Executes dropped EXE
PID:1000

C:\ProgramData\svchost.exe
"{path}"
4⤵
- Executes dropped EXE
PID:1448

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.exe
MD5
e6b478f5fc73dc7318854399abf505e3

SHA1
802fb03026a04b4027c3ff7fdf521d08195f8163

SHA256
99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

SHA512
9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Download Submit
C:\ProgramData\svchost.exe
MD5
e6b478f5fc73dc7318854399abf505e3

SHA1
802fb03026a04b4027c3ff7fdf521d08195f8163

SHA256
99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

SHA512
9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Download Submit
C:\ProgramData\svchost.exe
MD5
e6b478f5fc73dc7318854399abf505e3

SHA1
802fb03026a04b4027c3ff7fdf521d08195f8163

SHA256
99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

SHA512
9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Download Submit
C:\ProgramData\svchost.exe
MD5
e6b478f5fc73dc7318854399abf505e3

SHA1
802fb03026a04b4027c3ff7fdf521d08195f8163

SHA256
99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

SHA512
9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Download Submit
C:\ProgramData\svchost.exe
MD5
e6b478f5fc73dc7318854399abf505e3

SHA1
802fb03026a04b4027c3ff7fdf521d08195f8163

SHA256
99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

SHA512
9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Download Submit
C:\ProgramData\svchost.exe
MD5
e6b478f5fc73dc7318854399abf505e3

SHA1
802fb03026a04b4027c3ff7fdf521d08195f8163

SHA256
99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

SHA512
9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Download Submit
C:\ProgramData\svchost.exe
MD5
e6b478f5fc73dc7318854399abf505e3

SHA1
802fb03026a04b4027c3ff7fdf521d08195f8163

SHA256
99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

SHA512
9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Download Submit
\ProgramData\svchost.exe
MD5
e6b478f5fc73dc7318854399abf505e3

SHA1
802fb03026a04b4027c3ff7fdf521d08195f8163

SHA256
99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

SHA512
9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Download Submit
memory/604-62-0x00000000002A0000-0x00000000002A2000-memory.dmp

Filesize
8KB

Download
memory/604-64-0x00000000003B0000-0x00000000003E8000-memory.dmp

Filesize
224KB

Download
memory/604-63-0x0000000007390000-0x0000000007414000-memory.dmp

Filesize
528KB

Download
memory/604-61-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/604-59-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/624-69-0x0000000000000000-mapping.dmp

Download
memory/652-71-0x0000000000000000-mapping.dmp

Download
memory/652-74-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/652-78-0x0000000006FC0000-0x0000000006FC1000-memory.dmp

Filesize
4KB

Download
memory/784-76-0x0000000000000000-mapping.dmp

Download
memory/944-68-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/944-67-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/944-66-0x0000000000405E28-mapping.dmp

Download
memory/944-65-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads