warzonerat | 99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

General

Target

e6b478f5fc73dc7318854399abf505e3.exe
Size

908KB
MD5

e6b478f5fc73dc7318854399abf505e3
SHA1

802fb03026a04b4027c3ff7fdf521d08195f8163
SHA256

99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b
SHA512

9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

byx.z86.ru:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

1896 svchost.exe
1956 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

e6b478f5fc73dc7318854399abf505e3.exe

pid process

1432 e6b478f5fc73dc7318854399abf505e3.exe

pid	process
1896	svchost.exe
1956	svchost.exe

pid	process
1432	e6b478f5fc73dc7318854399abf505e3.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e6b478f5fc73dc7318854399abf505e3.exesvchost.exe

description	pid	process	target process
PID 1028 set thread context of 1432	1028	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 1896 set thread context of 1956	1896	svchost.exe	svchost.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

e6b478f5fc73dc7318854399abf505e3.exee6b478f5fc73dc7318854399abf505e3.execmd.exesvchost.exesvchost.exe

description	pid	process	target process
PID 1028 wrote to memory of 1432	1028	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 1028 wrote to memory of 1432	1028	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 1028 wrote to memory of 1432	1028	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 1028 wrote to memory of 1432	1028	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 1028 wrote to memory of 1432	1028	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 1028 wrote to memory of 1432	1028	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 1028 wrote to memory of 1432	1028	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 1028 wrote to memory of 1432	1028	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 1028 wrote to memory of 1432	1028	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 1028 wrote to memory of 1432	1028	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 1028 wrote to memory of 1432	1028	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 1432 wrote to memory of 1880	1432	e6b478f5fc73dc7318854399abf505e3.exe	cmd.exe
PID 1432 wrote to memory of 1880	1432	e6b478f5fc73dc7318854399abf505e3.exe	cmd.exe
PID 1432 wrote to memory of 1880	1432	e6b478f5fc73dc7318854399abf505e3.exe	cmd.exe
PID 1432 wrote to memory of 1880	1432	e6b478f5fc73dc7318854399abf505e3.exe	cmd.exe
PID 1432 wrote to memory of 1896	1432	e6b478f5fc73dc7318854399abf505e3.exe	svchost.exe
PID 1432 wrote to memory of 1896	1432	e6b478f5fc73dc7318854399abf505e3.exe	svchost.exe
PID 1432 wrote to memory of 1896	1432	e6b478f5fc73dc7318854399abf505e3.exe	svchost.exe
PID 1432 wrote to memory of 1896	1432	e6b478f5fc73dc7318854399abf505e3.exe	svchost.exe
PID 1880 wrote to memory of 1848	1880	cmd.exe	reg.exe
PID 1880 wrote to memory of 1848	1880	cmd.exe	reg.exe
PID 1880 wrote to memory of 1848	1880	cmd.exe	reg.exe
PID 1880 wrote to memory of 1848	1880	cmd.exe	reg.exe
PID 1896 wrote to memory of 1956	1896	svchost.exe	svchost.exe
PID 1896 wrote to memory of 1956	1896	svchost.exe	svchost.exe
PID 1896 wrote to memory of 1956	1896	svchost.exe	svchost.exe
PID 1896 wrote to memory of 1956	1896	svchost.exe	svchost.exe
PID 1896 wrote to memory of 1956	1896	svchost.exe	svchost.exe
PID 1896 wrote to memory of 1956	1896	svchost.exe	svchost.exe
PID 1896 wrote to memory of 1956	1896	svchost.exe	svchost.exe
PID 1896 wrote to memory of 1956	1896	svchost.exe	svchost.exe
PID 1896 wrote to memory of 1956	1896	svchost.exe	svchost.exe
PID 1896 wrote to memory of 1956	1896	svchost.exe	svchost.exe
PID 1896 wrote to memory of 1956	1896	svchost.exe	svchost.exe
PID 1956 wrote to memory of 1692	1956	svchost.exe	cmd.exe
PID 1956 wrote to memory of 1692	1956	svchost.exe	cmd.exe
PID 1956 wrote to memory of 1692	1956	svchost.exe	cmd.exe
PID 1956 wrote to memory of 1692	1956	svchost.exe	cmd.exe
PID 1956 wrote to memory of 1692	1956	svchost.exe	cmd.exe
PID 1956 wrote to memory of 1692	1956	svchost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e6b478f5fc73dc7318854399abf505e3.exe
"C:\Users\Admin\AppData\Local\Temp\e6b478f5fc73dc7318854399abf505e3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\Local\Temp\e6b478f5fc73dc7318854399abf505e3.exe
"{path}"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
4⤵
PID:1848

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1896

C:\ProgramData\svchost.exe
"{path}"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:1692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.exe
MD5
e6b478f5fc73dc7318854399abf505e3

SHA1
802fb03026a04b4027c3ff7fdf521d08195f8163

SHA256
99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

SHA512
9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Download Submit
C:\ProgramData\svchost.exe
MD5
e6b478f5fc73dc7318854399abf505e3

SHA1
802fb03026a04b4027c3ff7fdf521d08195f8163

SHA256
99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

SHA512
9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Download Submit
C:\ProgramData\svchost.exe
MD5
e6b478f5fc73dc7318854399abf505e3

SHA1
802fb03026a04b4027c3ff7fdf521d08195f8163

SHA256
99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

SHA512
9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Download Submit
\ProgramData\svchost.exe
MD5
e6b478f5fc73dc7318854399abf505e3

SHA1
802fb03026a04b4027c3ff7fdf521d08195f8163

SHA256
99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

SHA512
9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Download Submit
memory/1028-62-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/1028-63-0x0000000000440000-0x0000000000442000-memory.dmp

Filesize
8KB

Download
memory/1028-64-0x00000000073B0000-0x0000000007434000-memory.dmp

Filesize
528KB

Download
memory/1028-65-0x0000000000550000-0x0000000000588000-memory.dmp

Filesize
224KB

Download
memory/1028-60-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1432-66-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1432-69-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1432-68-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1432-67-0x0000000000405E28-mapping.dmp

Download
memory/1692-87-0x0000000000000000-mapping.dmp

Download
memory/1848-77-0x0000000000000000-mapping.dmp

Download
memory/1880-70-0x0000000000000000-mapping.dmp

Download
memory/1896-72-0x0000000000000000-mapping.dmp

Download
memory/1896-75-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/1896-79-0x00000000070C0000-0x00000000070C1000-memory.dmp

Filesize
4KB

Download
memory/1956-83-0x0000000000405E28-mapping.dmp

Download
memory/1956-86-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing