warzonerat | 99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

General

Target

e6b478f5fc73dc7318854399abf505e3.exe
Size

908KB
MD5

e6b478f5fc73dc7318854399abf505e3
SHA1

802fb03026a04b4027c3ff7fdf521d08195f8163
SHA256

99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b
SHA512

9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

byx.z86.ru:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Executes dropped EXE 4 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exe

pid process

2104 svchost.exe
2784 svchost.exe
3008 svchost.exe
3680 svchost.exe

pid	process
2104	svchost.exe
2784	svchost.exe
3008	svchost.exe
3680	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e6b478f5fc73dc7318854399abf505e3.exesvchost.exe

description	pid	process	target process
PID 3904 set thread context of 1744	3904	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 2104 set thread context of 3680	2104	svchost.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

svchost.exe

pid process

2104 svchost.exe
2104 svchost.exe
2104 svchost.exe
2104 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 2104 svchost.exe

pid	process
2104	svchost.exe
2104	svchost.exe
2104	svchost.exe
2104	svchost.exe

description	pid	process
Token: SeDebugPrivilege	2104	svchost.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

e6b478f5fc73dc7318854399abf505e3.exee6b478f5fc73dc7318854399abf505e3.execmd.exesvchost.exesvchost.exe

description	pid	process	target process
PID 3904 wrote to memory of 1744	3904	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 3904 wrote to memory of 1744	3904	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 3904 wrote to memory of 1744	3904	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 3904 wrote to memory of 1744	3904	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 3904 wrote to memory of 1744	3904	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 3904 wrote to memory of 1744	3904	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 3904 wrote to memory of 1744	3904	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 3904 wrote to memory of 1744	3904	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 3904 wrote to memory of 1744	3904	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 3904 wrote to memory of 1744	3904	e6b478f5fc73dc7318854399abf505e3.exe	e6b478f5fc73dc7318854399abf505e3.exe
PID 1744 wrote to memory of 416	1744	e6b478f5fc73dc7318854399abf505e3.exe	cmd.exe
PID 1744 wrote to memory of 416	1744	e6b478f5fc73dc7318854399abf505e3.exe	cmd.exe
PID 1744 wrote to memory of 416	1744	e6b478f5fc73dc7318854399abf505e3.exe	cmd.exe
PID 1744 wrote to memory of 2104	1744	e6b478f5fc73dc7318854399abf505e3.exe	svchost.exe
PID 1744 wrote to memory of 2104	1744	e6b478f5fc73dc7318854399abf505e3.exe	svchost.exe
PID 1744 wrote to memory of 2104	1744	e6b478f5fc73dc7318854399abf505e3.exe	svchost.exe
PID 416 wrote to memory of 1120	416	cmd.exe	reg.exe
PID 416 wrote to memory of 1120	416	cmd.exe	reg.exe
PID 416 wrote to memory of 1120	416	cmd.exe	reg.exe
PID 2104 wrote to memory of 2784	2104	svchost.exe	svchost.exe
PID 2104 wrote to memory of 2784	2104	svchost.exe	svchost.exe
PID 2104 wrote to memory of 2784	2104	svchost.exe	svchost.exe
PID 2104 wrote to memory of 3008	2104	svchost.exe	svchost.exe
PID 2104 wrote to memory of 3008	2104	svchost.exe	svchost.exe
PID 2104 wrote to memory of 3008	2104	svchost.exe	svchost.exe
PID 2104 wrote to memory of 3680	2104	svchost.exe	svchost.exe
PID 2104 wrote to memory of 3680	2104	svchost.exe	svchost.exe
PID 2104 wrote to memory of 3680	2104	svchost.exe	svchost.exe
PID 2104 wrote to memory of 3680	2104	svchost.exe	svchost.exe
PID 2104 wrote to memory of 3680	2104	svchost.exe	svchost.exe
PID 2104 wrote to memory of 3680	2104	svchost.exe	svchost.exe
PID 2104 wrote to memory of 3680	2104	svchost.exe	svchost.exe
PID 2104 wrote to memory of 3680	2104	svchost.exe	svchost.exe
PID 2104 wrote to memory of 3680	2104	svchost.exe	svchost.exe
PID 2104 wrote to memory of 3680	2104	svchost.exe	svchost.exe
PID 3680 wrote to memory of 4028	3680	svchost.exe	cmd.exe
PID 3680 wrote to memory of 4028	3680	svchost.exe	cmd.exe
PID 3680 wrote to memory of 4028	3680	svchost.exe	cmd.exe
PID 3680 wrote to memory of 4028	3680	svchost.exe	cmd.exe
PID 3680 wrote to memory of 4028	3680	svchost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e6b478f5fc73dc7318854399abf505e3.exe
"C:\Users\Admin\AppData\Local\Temp\e6b478f5fc73dc7318854399abf505e3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3904

C:\Users\Admin\AppData\Local\Temp\e6b478f5fc73dc7318854399abf505e3.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:416

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
4⤵
PID:1120

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104

C:\ProgramData\svchost.exe
"{path}"
4⤵
- Executes dropped EXE
PID:2784

C:\ProgramData\svchost.exe
"{path}"
4⤵
- Executes dropped EXE
PID:3008

C:\ProgramData\svchost.exe
"{path}"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:4028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.exe
MD5
e6b478f5fc73dc7318854399abf505e3

SHA1
802fb03026a04b4027c3ff7fdf521d08195f8163

SHA256
99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

SHA512
9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Download Submit
C:\ProgramData\svchost.exe
MD5
e6b478f5fc73dc7318854399abf505e3

SHA1
802fb03026a04b4027c3ff7fdf521d08195f8163

SHA256
99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

SHA512
9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Download Submit
C:\ProgramData\svchost.exe
MD5
e6b478f5fc73dc7318854399abf505e3

SHA1
802fb03026a04b4027c3ff7fdf521d08195f8163

SHA256
99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

SHA512
9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Download Submit
C:\ProgramData\svchost.exe
MD5
e6b478f5fc73dc7318854399abf505e3

SHA1
802fb03026a04b4027c3ff7fdf521d08195f8163

SHA256
99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

SHA512
9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Download Submit
C:\ProgramData\svchost.exe
MD5
e6b478f5fc73dc7318854399abf505e3

SHA1
802fb03026a04b4027c3ff7fdf521d08195f8163

SHA256
99f6194509980cce34f244d9dbca6d6931f47a02361db73e0f2fc1fa103c997b

SHA512
9f94e00e1b30130e06749868dc5e492b74f47a67169b5e064ab09fc51fba01e4583adf0b3e730852bba272cfb6d7395f8d6c0078addb59f4b6cdd3c1874ae3d4

Download Submit
memory/416-127-0x0000000000000000-mapping.dmp

Download
memory/1120-133-0x0000000000000000-mapping.dmp

Download
memory/1744-124-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1744-125-0x0000000000405E28-mapping.dmp

Download
memory/1744-126-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2104-139-0x0000000007C80000-0x000000000817E000-memory.dmp

Filesize
5.0MB

Download
memory/2104-128-0x0000000000000000-mapping.dmp

Download
memory/3680-147-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3680-145-0x0000000000405E28-mapping.dmp

Download
memory/3904-120-0x0000000008C70000-0x0000000008C71000-memory.dmp

Filesize
4KB

Download
memory/3904-119-0x0000000006E80000-0x000000000737E000-memory.dmp

Filesize
5.0MB

Download
memory/3904-121-0x0000000007330000-0x0000000007332000-memory.dmp

Filesize
8KB

Download
memory/3904-114-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/3904-118-0x0000000007090000-0x0000000007091000-memory.dmp

Filesize
4KB

Download
memory/3904-117-0x0000000006F20000-0x0000000006F21000-memory.dmp

Filesize
4KB

Download
memory/3904-123-0x0000000004470000-0x00000000044A8000-memory.dmp

Filesize
224KB

Download
memory/3904-116-0x0000000007380000-0x0000000007381000-memory.dmp

Filesize
4KB

Download
memory/3904-122-0x000000000A7E0000-0x000000000A864000-memory.dmp

Filesize
528KB

Download
memory/4028-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing