warzonerat | 344411537546f4601fe7f667f8cd82cb0aa92da98581ea055b66d49ed16ebd89

General

Target

New Order_R43YZIr0C8E62iK.exe
Size

291KB
MD5

c2defdcd91b04ece9e34bee77d0f5adc
SHA1

14b0616035e2fef2c4dc9ab4ba9b5f23b159c361
SHA256

344411537546f4601fe7f667f8cd82cb0aa92da98581ea055b66d49ed16ebd89
SHA512

41665255975bf4a392f50455b7640e77e42ee1aa505a60fa4d5b620d9ce4193832362d6159193319a0029109f6602b0ef7f78fbf20de667f773efd67b5e08c25

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

185.105.236.179:1975

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1304-62-0x0000000000405887-mapping.dmp	warzonerat
behavioral1/memory/1304-63-0x0000000000080000-0x000000000009D000-memory.dmp	warzonerat
behavioral1/memory/1304-69-0x0000000000080000-0x000000000009D000-memory.dmp	warzonerat
behavioral1/memory/1720-77-0x0000000000405887-mapping.dmp	warzonerat
behavioral1/memory/1720-76-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral1/memory/1720-80-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat

Executes dropped EXE 2 IoCs

Processes:

User1.exeUser1.exe

pid process

516 User1.exe
1720 User1.exe
Loads dropped DLL 1 IoCs

Processes:

New Order_R43YZIr0C8E62iK.exe

pid process

1304 New Order_R43YZIr0C8E62iK.exe

pid	process
516	User1.exe
1720	User1.exe

pid	process
1304	New Order_R43YZIr0C8E62iK.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

New Order_R43YZIr0C8E62iK.exeUser1.exe

description	pid	process	target process
PID 360 set thread context of 1304	360	New Order_R43YZIr0C8E62iK.exe	New Order_R43YZIr0C8E62iK.exe
PID 516 set thread context of 1720	516	User1.exe	User1.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

New Order_R43YZIr0C8E62iK.exeUser1.exe

pid process

360 New Order_R43YZIr0C8E62iK.exe
360 New Order_R43YZIr0C8E62iK.exe
516 User1.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

New Order_R43YZIr0C8E62iK.exeUser1.exe

description pid process

Token: SeDebugPrivilege 360 New Order_R43YZIr0C8E62iK.exe
Token: SeDebugPrivilege 516 User1.exe

pid	process
360	New Order_R43YZIr0C8E62iK.exe
360	New Order_R43YZIr0C8E62iK.exe
516	User1.exe

description	pid	process
Token: SeDebugPrivilege	360	New Order_R43YZIr0C8E62iK.exe
Token: SeDebugPrivilege	516	User1.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

New Order_R43YZIr0C8E62iK.exeNew Order_R43YZIr0C8E62iK.exeUser1.exe

description	pid	process	target process
PID 360 wrote to memory of 1304	360	New Order_R43YZIr0C8E62iK.exe	New Order_R43YZIr0C8E62iK.exe
PID 360 wrote to memory of 1304	360	New Order_R43YZIr0C8E62iK.exe	New Order_R43YZIr0C8E62iK.exe
PID 360 wrote to memory of 1304	360	New Order_R43YZIr0C8E62iK.exe	New Order_R43YZIr0C8E62iK.exe
PID 360 wrote to memory of 1304	360	New Order_R43YZIr0C8E62iK.exe	New Order_R43YZIr0C8E62iK.exe
PID 360 wrote to memory of 1304	360	New Order_R43YZIr0C8E62iK.exe	New Order_R43YZIr0C8E62iK.exe
PID 360 wrote to memory of 1304	360	New Order_R43YZIr0C8E62iK.exe	New Order_R43YZIr0C8E62iK.exe
PID 360 wrote to memory of 1304	360	New Order_R43YZIr0C8E62iK.exe	New Order_R43YZIr0C8E62iK.exe
PID 360 wrote to memory of 1304	360	New Order_R43YZIr0C8E62iK.exe	New Order_R43YZIr0C8E62iK.exe
PID 360 wrote to memory of 1304	360	New Order_R43YZIr0C8E62iK.exe	New Order_R43YZIr0C8E62iK.exe
PID 360 wrote to memory of 1304	360	New Order_R43YZIr0C8E62iK.exe	New Order_R43YZIr0C8E62iK.exe
PID 360 wrote to memory of 1304	360	New Order_R43YZIr0C8E62iK.exe	New Order_R43YZIr0C8E62iK.exe
PID 360 wrote to memory of 1304	360	New Order_R43YZIr0C8E62iK.exe	New Order_R43YZIr0C8E62iK.exe
PID 1304 wrote to memory of 516	1304	New Order_R43YZIr0C8E62iK.exe	User1.exe
PID 1304 wrote to memory of 516	1304	New Order_R43YZIr0C8E62iK.exe	User1.exe
PID 1304 wrote to memory of 516	1304	New Order_R43YZIr0C8E62iK.exe	User1.exe
PID 1304 wrote to memory of 516	1304	New Order_R43YZIr0C8E62iK.exe	User1.exe
PID 516 wrote to memory of 1720	516	User1.exe	User1.exe
PID 516 wrote to memory of 1720	516	User1.exe	User1.exe
PID 516 wrote to memory of 1720	516	User1.exe	User1.exe
PID 516 wrote to memory of 1720	516	User1.exe	User1.exe
PID 516 wrote to memory of 1720	516	User1.exe	User1.exe
PID 516 wrote to memory of 1720	516	User1.exe	User1.exe
PID 516 wrote to memory of 1720	516	User1.exe	User1.exe
PID 516 wrote to memory of 1720	516	User1.exe	User1.exe
PID 516 wrote to memory of 1720	516	User1.exe	User1.exe
PID 516 wrote to memory of 1720	516	User1.exe	User1.exe
PID 516 wrote to memory of 1720	516	User1.exe	User1.exe
PID 516 wrote to memory of 1720	516	User1.exe	User1.exe

C:\Users\Admin\AppData\Local\Temp\New Order_R43YZIr0C8E62iK.exe
"C:\Users\Admin\AppData\Local\Temp\New Order_R43YZIr0C8E62iK.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:360

C:\Users\Admin\AppData\Local\Temp\New Order_R43YZIr0C8E62iK.exe
"C:\Users\Admin\AppData\Local\Temp\New Order_R43YZIr0C8E62iK.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304

C:\ProgramData\User1.exe
"C:\ProgramData\User1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516

C:\ProgramData\User1.exe
"C:\ProgramData\User1.exe"
4⤵
- Executes dropped EXE
PID:1720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\User1.exe
MD5
c2defdcd91b04ece9e34bee77d0f5adc

SHA1
14b0616035e2fef2c4dc9ab4ba9b5f23b159c361

SHA256
344411537546f4601fe7f667f8cd82cb0aa92da98581ea055b66d49ed16ebd89

SHA512
41665255975bf4a392f50455b7640e77e42ee1aa505a60fa4d5b620d9ce4193832362d6159193319a0029109f6602b0ef7f78fbf20de667f773efd67b5e08c25

Download Submit
C:\ProgramData\User1.exe
MD5
c2defdcd91b04ece9e34bee77d0f5adc

SHA1
14b0616035e2fef2c4dc9ab4ba9b5f23b159c361

SHA256
344411537546f4601fe7f667f8cd82cb0aa92da98581ea055b66d49ed16ebd89

SHA512
41665255975bf4a392f50455b7640e77e42ee1aa505a60fa4d5b620d9ce4193832362d6159193319a0029109f6602b0ef7f78fbf20de667f773efd67b5e08c25

Download Submit
C:\ProgramData\User1.exe
MD5
c2defdcd91b04ece9e34bee77d0f5adc

SHA1
14b0616035e2fef2c4dc9ab4ba9b5f23b159c361

SHA256
344411537546f4601fe7f667f8cd82cb0aa92da98581ea055b66d49ed16ebd89

SHA512
41665255975bf4a392f50455b7640e77e42ee1aa505a60fa4d5b620d9ce4193832362d6159193319a0029109f6602b0ef7f78fbf20de667f773efd67b5e08c25

Download Submit
\ProgramData\User1.exe
MD5
c2defdcd91b04ece9e34bee77d0f5adc

SHA1
14b0616035e2fef2c4dc9ab4ba9b5f23b159c361

SHA256
344411537546f4601fe7f667f8cd82cb0aa92da98581ea055b66d49ed16ebd89

SHA512
41665255975bf4a392f50455b7640e77e42ee1aa505a60fa4d5b620d9ce4193832362d6159193319a0029109f6602b0ef7f78fbf20de667f773efd67b5e08c25

Download Submit
memory/360-60-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/360-59-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/516-75-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/516-71-0x0000000000000000-mapping.dmp

Download
memory/1304-69-0x0000000000080000-0x000000000009D000-memory.dmp

Filesize
116KB

Download
memory/1304-63-0x0000000000080000-0x000000000009D000-memory.dmp

Filesize
116KB

Download
memory/1304-62-0x0000000000405887-mapping.dmp

Download
memory/1720-77-0x0000000000405887-mapping.dmp

Download
memory/1720-76-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1720-80-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads