warzonerat | 99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

General

Target

e6b478f5fc73dc7318854399abf505e3.exe
Size

908KB
MD5

e6b478f5fc73dc7318854399abf505e3
SHA1

802fb03026a04b4027c3ff7fdf521d08195f8163
SHA256

99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b
SHA512

9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

byx.z86.ru:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Executes dropped EXE 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

3332 svchost.exe
1724 svchost.exe
2412 svchost.exe

pid	process
3332	svchost.exe
1724	svchost.exe
2412	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e6b478f5fc73dc7318854399abf505e3.exesvchost.exe

description	pid	process	target process
PID 3724 set thread context of 3200	3724	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 3332 set thread context of 2412	3332	svchost.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exe

pid process

3332 svchost.exe
3332 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 3332 svchost.exe

pid	process
3332	svchost.exe
3332	svchost.exe

description	pid	process
Token: SeDebugPrivilege	3332	svchost.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

e6b478f5fc73dc7318854399abf505e3.exee6b478f5fc73dc7318854399abf505e3.execmd.exesvchost.exesvchost.exe

description	pid	process	target process
PID 3724 wrote to memory of 3200	3724	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 3724 wrote to memory of 3200	3724	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 3724 wrote to memory of 3200	3724	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 3724 wrote to memory of 3200	3724	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 3724 wrote to memory of 3200	3724	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 3724 wrote to memory of 3200	3724	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 3724 wrote to memory of 3200	3724	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 3724 wrote to memory of 3200	3724	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 3724 wrote to memory of 3200	3724	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 3724 wrote to memory of 3200	3724	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 3200 wrote to memory of 3056	3200	e6b478f5fc73dc7318854399abf505e3.exe	cmd.exe
PID 3200 wrote to memory of 3056	3200	e6b478f5fc73dc7318854399abf505e3.exe	cmd.exe
PID 3200 wrote to memory of 3056	3200	e6b478f5fc73dc7318854399abf505e3.exe	cmd.exe
PID 3200 wrote to memory of 3332	3200	e6b478f5fc73dc7318854399abf505e3.exe	svchost.exe
PID 3200 wrote to memory of 3332	3200	e6b478f5fc73dc7318854399abf505e3.exe	svchost.exe
PID 3200 wrote to memory of 3332	3200	e6b478f5fc73dc7318854399abf505e3.exe	svchost.exe
PID 3056 wrote to memory of 3404	3056	cmd.exe	reg.exe
PID 3056 wrote to memory of 3404	3056	cmd.exe	reg.exe
PID 3056 wrote to memory of 3404	3056	cmd.exe	reg.exe
PID 3332 wrote to memory of 1724	3332	svchost.exe	svchost.exe
PID 3332 wrote to memory of 1724	3332	svchost.exe	svchost.exe
PID 3332 wrote to memory of 1724	3332	svchost.exe	svchost.exe
PID 3332 wrote to memory of 2412	3332	svchost.exe	svchost.exe
PID 3332 wrote to memory of 2412	3332	svchost.exe	svchost.exe
PID 3332 wrote to memory of 2412	3332	svchost.exe	svchost.exe
PID 3332 wrote to memory of 2412	3332	svchost.exe	svchost.exe
PID 3332 wrote to memory of 2412	3332	svchost.exe	svchost.exe
PID 3332 wrote to memory of 2412	3332	svchost.exe	svchost.exe
PID 3332 wrote to memory of 2412	3332	svchost.exe	svchost.exe
PID 3332 wrote to memory of 2412	3332	svchost.exe	svchost.exe
PID 3332 wrote to memory of 2412	3332	svchost.exe	svchost.exe
PID 3332 wrote to memory of 2412	3332	svchost.exe	svchost.exe
PID 2412 wrote to memory of 1296	2412	svchost.exe	cmd.exe
PID 2412 wrote to memory of 1296	2412	svchost.exe	cmd.exe
PID 2412 wrote to memory of 1296	2412	svchost.exe	cmd.exe
PID 2412 wrote to memory of 1296	2412	svchost.exe	cmd.exe
PID 2412 wrote to memory of 1296	2412	svchost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e6b478f5fc73dc7318854399abf505e3.exe
"C:\Users\Admin\AppData\Local\Temp\e6b478f5fc73dc7318854399abf505e3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3724

C:\Users\Admin\AppData\Local\Temp\e6b478f5fc73dc7318854399abf505e3.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:3200

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
4⤵
PID:3404

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332

C:\ProgramData\svchost.exe
"{path}"
4⤵
- Executes dropped EXE
PID:1724

C:\ProgramData\svchost.exe
"{path}"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:1296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.exe
MD5
e6b478f5fc73dc7318854399abf505e3

SHA1
802fb03026a04b4027c3ff7fdf521d08195f8163

SHA256
99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

SHA512
9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Download Submit
C:\ProgramData\svchost.exe
MD5
e6b478f5fc73dc7318854399abf505e3

SHA1
802fb03026a04b4027c3ff7fdf521d08195f8163

SHA256
99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

SHA512
9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Download Submit
C:\ProgramData\svchost.exe
MD5
e6b478f5fc73dc7318854399abf505e3

SHA1
802fb03026a04b4027c3ff7fdf521d08195f8163

SHA256
99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

SHA512
9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Download Submit
C:\ProgramData\svchost.exe
MD5
e6b478f5fc73dc7318854399abf505e3

SHA1
802fb03026a04b4027c3ff7fdf521d08195f8163

SHA256
99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

SHA512
9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Download Submit
memory/1296-147-0x0000000000000000-mapping.dmp

Download
memory/2412-146-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2412-144-0x0000000000405E28-mapping.dmp

Download
memory/3056-127-0x0000000000000000-mapping.dmp

Download
memory/3200-125-0x0000000000405E28-mapping.dmp

Download
memory/3200-124-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3200-126-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3332-137-0x0000000007680000-0x0000000007B7E000-memory.dmp

Filesize
5.0MB

Download
memory/3332-128-0x0000000000000000-mapping.dmp

Download
memory/3404-133-0x0000000000000000-mapping.dmp

Download
memory/3724-121-0x0000000008E90000-0x0000000008E92000-memory.dmp

Filesize
8KB

Download
memory/3724-122-0x000000000ACF0000-0x000000000AD74000-memory.dmp

Filesize
528KB

Download
memory/3724-123-0x00000000049A0000-0x00000000049D8000-memory.dmp

Filesize
224KB

Download
memory/3724-114-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/3724-120-0x0000000008F50000-0x0000000008F51000-memory.dmp

Filesize
4KB

Download
memory/3724-119-0x00000000075D0000-0x00000000075D1000-memory.dmp

Filesize
4KB

Download
memory/3724-118-0x0000000007390000-0x000000000788E000-memory.dmp

Filesize
5.0MB

Download
memory/3724-117-0x0000000007470000-0x0000000007471000-memory.dmp

Filesize
4KB

Download
memory/3724-116-0x0000000007890000-0x0000000007891000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing