warzonerat | dd5107d7cc5b86ef5a650ea6e01b662066c34072859272fa886379e304e7df43

General

Target

e3371e0d650405ac74532bc9a0dc8cf4.exe
Size

684KB
MD5

e3371e0d650405ac74532bc9a0dc8cf4
SHA1

79f6616b9fba88c18b0d435fae691c8c98a4f1cf
SHA256

dd5107d7cc5b86ef5a650ea6e01b662066c34072859272fa886379e304e7df43
SHA512

ebcc377484c889df78c4164b0267296d7179a9cf1e63f21deb45d1fa92fcd0daff603e4de5457494c6cf2cea353be7151343cea87b2600f85cdddbf20258b223

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

byx.z86.ru:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Executes dropped EXE 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

660 svchost.exe
1664 svchost.exe
1792 svchost.exe
Loads dropped DLL 3 IoCs

Processes:

e3371e0d650405ac74532bc9a0dc8cf4.exesvchost.exe

pid process

1340 e3371e0d650405ac74532bc9a0dc8cf4.exe
660 svchost.exe
660 svchost.exe

pid	process
660	svchost.exe
1664	svchost.exe
1792	svchost.exe

pid	process
1340	e3371e0d650405ac74532bc9a0dc8cf4.exe
660	svchost.exe
660	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e3371e0d650405ac74532bc9a0dc8cf4.exesvchost.exe

description	pid	process	target process
PID 304 set thread context of 1340	304	e3371e0d650405ac74532bc9a0dc8cf4.exe	e3371e0d650405ac74532bc9a0dc8cf4.exe
PID 660 set thread context of 1792	660	svchost.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

e3371e0d650405ac74532bc9a0dc8cf4.exesvchost.exe

pid process

304 e3371e0d650405ac74532bc9a0dc8cf4.exe
304 e3371e0d650405ac74532bc9a0dc8cf4.exe
660 svchost.exe
660 svchost.exe
660 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e3371e0d650405ac74532bc9a0dc8cf4.exesvchost.exe

description pid process

Token: SeDebugPrivilege 304 e3371e0d650405ac74532bc9a0dc8cf4.exe
Token: SeDebugPrivilege 660 svchost.exe

pid	process
304	e3371e0d650405ac74532bc9a0dc8cf4.exe
304	e3371e0d650405ac74532bc9a0dc8cf4.exe
660	svchost.exe
660	svchost.exe
660	svchost.exe

description	pid	process
Token: SeDebugPrivilege	304	e3371e0d650405ac74532bc9a0dc8cf4.exe
Token: SeDebugPrivilege	660	svchost.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

e3371e0d650405ac74532bc9a0dc8cf4.exee3371e0d650405ac74532bc9a0dc8cf4.execmd.exesvchost.exesvchost.exe

description	pid	process	target process
PID 304 wrote to memory of 1340	304	e3371e0d650405ac74532bc9a0dc8cf4.exe	e3371e0d650405ac74532bc9a0dc8cf4.exe
PID 304 wrote to memory of 1340	304	e3371e0d650405ac74532bc9a0dc8cf4.exe	e3371e0d650405ac74532bc9a0dc8cf4.exe
PID 304 wrote to memory of 1340	304	e3371e0d650405ac74532bc9a0dc8cf4.exe	e3371e0d650405ac74532bc9a0dc8cf4.exe
PID 304 wrote to memory of 1340	304	e3371e0d650405ac74532bc9a0dc8cf4.exe	e3371e0d650405ac74532bc9a0dc8cf4.exe
PID 304 wrote to memory of 1340	304	e3371e0d650405ac74532bc9a0dc8cf4.exe	e3371e0d650405ac74532bc9a0dc8cf4.exe
PID 304 wrote to memory of 1340	304	e3371e0d650405ac74532bc9a0dc8cf4.exe	e3371e0d650405ac74532bc9a0dc8cf4.exe
PID 304 wrote to memory of 1340	304	e3371e0d650405ac74532bc9a0dc8cf4.exe	e3371e0d650405ac74532bc9a0dc8cf4.exe
PID 304 wrote to memory of 1340	304	e3371e0d650405ac74532bc9a0dc8cf4.exe	e3371e0d650405ac74532bc9a0dc8cf4.exe
PID 304 wrote to memory of 1340	304	e3371e0d650405ac74532bc9a0dc8cf4.exe	e3371e0d650405ac74532bc9a0dc8cf4.exe
PID 304 wrote to memory of 1340	304	e3371e0d650405ac74532bc9a0dc8cf4.exe	e3371e0d650405ac74532bc9a0dc8cf4.exe
PID 304 wrote to memory of 1340	304	e3371e0d650405ac74532bc9a0dc8cf4.exe	e3371e0d650405ac74532bc9a0dc8cf4.exe
PID 1340 wrote to memory of 268	1340	e3371e0d650405ac74532bc9a0dc8cf4.exe	cmd.exe
PID 1340 wrote to memory of 268	1340	e3371e0d650405ac74532bc9a0dc8cf4.exe	cmd.exe
PID 1340 wrote to memory of 268	1340	e3371e0d650405ac74532bc9a0dc8cf4.exe	cmd.exe
PID 1340 wrote to memory of 268	1340	e3371e0d650405ac74532bc9a0dc8cf4.exe	cmd.exe
PID 1340 wrote to memory of 660	1340	e3371e0d650405ac74532bc9a0dc8cf4.exe	svchost.exe
PID 1340 wrote to memory of 660	1340	e3371e0d650405ac74532bc9a0dc8cf4.exe	svchost.exe
PID 1340 wrote to memory of 660	1340	e3371e0d650405ac74532bc9a0dc8cf4.exe	svchost.exe
PID 1340 wrote to memory of 660	1340	e3371e0d650405ac74532bc9a0dc8cf4.exe	svchost.exe
PID 268 wrote to memory of 1832	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1832	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1832	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1832	268	cmd.exe	reg.exe
PID 660 wrote to memory of 1664	660	svchost.exe	svchost.exe
PID 660 wrote to memory of 1664	660	svchost.exe	svchost.exe
PID 660 wrote to memory of 1664	660	svchost.exe	svchost.exe
PID 660 wrote to memory of 1664	660	svchost.exe	svchost.exe
PID 660 wrote to memory of 1792	660	svchost.exe	svchost.exe
PID 660 wrote to memory of 1792	660	svchost.exe	svchost.exe
PID 660 wrote to memory of 1792	660	svchost.exe	svchost.exe
PID 660 wrote to memory of 1792	660	svchost.exe	svchost.exe
PID 660 wrote to memory of 1792	660	svchost.exe	svchost.exe
PID 660 wrote to memory of 1792	660	svchost.exe	svchost.exe
PID 660 wrote to memory of 1792	660	svchost.exe	svchost.exe
PID 660 wrote to memory of 1792	660	svchost.exe	svchost.exe
PID 660 wrote to memory of 1792	660	svchost.exe	svchost.exe
PID 660 wrote to memory of 1792	660	svchost.exe	svchost.exe
PID 660 wrote to memory of 1792	660	svchost.exe	svchost.exe
PID 1792 wrote to memory of 920	1792	svchost.exe	cmd.exe
PID 1792 wrote to memory of 920	1792	svchost.exe	cmd.exe
PID 1792 wrote to memory of 920	1792	svchost.exe	cmd.exe
PID 1792 wrote to memory of 920	1792	svchost.exe	cmd.exe
PID 1792 wrote to memory of 920	1792	svchost.exe	cmd.exe
PID 1792 wrote to memory of 920	1792	svchost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e3371e0d650405ac74532bc9a0dc8cf4.exe
"C:\Users\Admin\AppData\Local\Temp\e3371e0d650405ac74532bc9a0dc8cf4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:304

C:\Users\Admin\AppData\Local\Temp\e3371e0d650405ac74532bc9a0dc8cf4.exe
C:\Users\Admin\AppData\Local\Temp\e3371e0d650405ac74532bc9a0dc8cf4.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
4⤵
PID:1832

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:660

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
4⤵
- Executes dropped EXE
PID:1664

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.exe
MD5
e3371e0d650405ac74532bc9a0dc8cf4

SHA1
79f6616b9fba88c18b0d435fae691c8c98a4f1cf

SHA256
dd5107d7cc5b86ef5a650ea6e01b662066c34072859272fa886379e304e7df43

SHA512
ebcc377484c889df78c4164b0267296d7179a9cf1e63f21deb45d1fa92fcd0daff603e4de5457494c6cf2cea353be7151343cea87b2600f85cdddbf20258b223

Download Submit
C:\ProgramData\svchost.exe
MD5
e3371e0d650405ac74532bc9a0dc8cf4

SHA1
79f6616b9fba88c18b0d435fae691c8c98a4f1cf

SHA256
dd5107d7cc5b86ef5a650ea6e01b662066c34072859272fa886379e304e7df43

SHA512
ebcc377484c889df78c4164b0267296d7179a9cf1e63f21deb45d1fa92fcd0daff603e4de5457494c6cf2cea353be7151343cea87b2600f85cdddbf20258b223

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
e3371e0d650405ac74532bc9a0dc8cf4

SHA1
79f6616b9fba88c18b0d435fae691c8c98a4f1cf

SHA256
dd5107d7cc5b86ef5a650ea6e01b662066c34072859272fa886379e304e7df43

SHA512
ebcc377484c889df78c4164b0267296d7179a9cf1e63f21deb45d1fa92fcd0daff603e4de5457494c6cf2cea353be7151343cea87b2600f85cdddbf20258b223

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
e3371e0d650405ac74532bc9a0dc8cf4

SHA1
79f6616b9fba88c18b0d435fae691c8c98a4f1cf

SHA256
dd5107d7cc5b86ef5a650ea6e01b662066c34072859272fa886379e304e7df43

SHA512
ebcc377484c889df78c4164b0267296d7179a9cf1e63f21deb45d1fa92fcd0daff603e4de5457494c6cf2cea353be7151343cea87b2600f85cdddbf20258b223

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
e3371e0d650405ac74532bc9a0dc8cf4

SHA1
79f6616b9fba88c18b0d435fae691c8c98a4f1cf

SHA256
dd5107d7cc5b86ef5a650ea6e01b662066c34072859272fa886379e304e7df43

SHA512
ebcc377484c889df78c4164b0267296d7179a9cf1e63f21deb45d1fa92fcd0daff603e4de5457494c6cf2cea353be7151343cea87b2600f85cdddbf20258b223

Download Submit
\ProgramData\svchost.exe
MD5
e3371e0d650405ac74532bc9a0dc8cf4

SHA1
79f6616b9fba88c18b0d435fae691c8c98a4f1cf

SHA256
dd5107d7cc5b86ef5a650ea6e01b662066c34072859272fa886379e304e7df43

SHA512
ebcc377484c889df78c4164b0267296d7179a9cf1e63f21deb45d1fa92fcd0daff603e4de5457494c6cf2cea353be7151343cea87b2600f85cdddbf20258b223

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
e3371e0d650405ac74532bc9a0dc8cf4

SHA1
79f6616b9fba88c18b0d435fae691c8c98a4f1cf

SHA256
dd5107d7cc5b86ef5a650ea6e01b662066c34072859272fa886379e304e7df43

SHA512
ebcc377484c889df78c4164b0267296d7179a9cf1e63f21deb45d1fa92fcd0daff603e4de5457494c6cf2cea353be7151343cea87b2600f85cdddbf20258b223

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
e3371e0d650405ac74532bc9a0dc8cf4

SHA1
79f6616b9fba88c18b0d435fae691c8c98a4f1cf

SHA256
dd5107d7cc5b86ef5a650ea6e01b662066c34072859272fa886379e304e7df43

SHA512
ebcc377484c889df78c4164b0267296d7179a9cf1e63f21deb45d1fa92fcd0daff603e4de5457494c6cf2cea353be7151343cea87b2600f85cdddbf20258b223

Download Submit
memory/268-73-0x0000000000000000-mapping.dmp

Download
memory/304-61-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/304-71-0x0000000004BC5000-0x0000000004BD6000-memory.dmp

Filesize
68KB

Download
memory/304-62-0x0000000000970000-0x00000000009BE000-memory.dmp

Filesize
312KB

Download
memory/304-59-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/304-67-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/660-96-0x0000000004F15000-0x0000000004F26000-memory.dmp

Filesize
68KB

Download
memory/660-82-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/660-78-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/660-75-0x0000000000000000-mapping.dmp

Download
memory/920-99-0x0000000000000000-mapping.dmp

Download
memory/1340-72-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1340-70-0x0000000075971000-0x0000000075973000-memory.dmp

Filesize
8KB

Download
memory/1340-69-0x0000000000405E28-mapping.dmp

Download
memory/1340-68-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1792-93-0x0000000000405E28-mapping.dmp

Download
memory/1792-97-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1832-81-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing