warzonerat | dd5107d7cc5b86ef5a650ea6e01b662066c34072859272fa886379e304e7df43

General

Target

e3371e0d650405ac74532bc9a0dc8cf4.exe
Size

684KB
MD5

e3371e0d650405ac74532bc9a0dc8cf4
SHA1

79f6616b9fba88c18b0d435fae691c8c98a4f1cf
SHA256

dd5107d7cc5b86ef5a650ea6e01b662066c34072859272fa886379e304e7df43
SHA512

ebcc377484c889df78c4164b0267296d7179a9cf1e63f21deb45d1fa92fcd0daff603e4de5457494c6cf2cea353be7151343cea87b2600f85cdddbf20258b223

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

byx.z86.ru:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

3412 svchost.exe
3948 svchost.exe

pid	process
3412	svchost.exe
3948	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e3371e0d650405ac74532bc9a0dc8cf4.exesvchost.exe

description	pid	process	target process
PID 4056 set thread context of 3084	4056	e3371e0d650405ac74532bc9a0dc8cf4.exe	e3371e0d650405ac74532bc9a0dc8cf4.exe
PID 3412 set thread context of 3948	3412	svchost.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e3371e0d650405ac74532bc9a0dc8cf4.exesvchost.exe

pid process

4056 e3371e0d650405ac74532bc9a0dc8cf4.exe
4056 e3371e0d650405ac74532bc9a0dc8cf4.exe
3412 svchost.exe
3412 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e3371e0d650405ac74532bc9a0dc8cf4.exesvchost.exe

description pid process

Token: SeDebugPrivilege 4056 e3371e0d650405ac74532bc9a0dc8cf4.exe
Token: SeDebugPrivilege 3412 svchost.exe

pid	process
4056	e3371e0d650405ac74532bc9a0dc8cf4.exe
4056	e3371e0d650405ac74532bc9a0dc8cf4.exe
3412	svchost.exe
3412	svchost.exe

description	pid	process
Token: SeDebugPrivilege	4056	e3371e0d650405ac74532bc9a0dc8cf4.exe
Token: SeDebugPrivilege	3412	svchost.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

e3371e0d650405ac74532bc9a0dc8cf4.exee3371e0d650405ac74532bc9a0dc8cf4.execmd.exesvchost.exesvchost.exe

description	pid	process	target process
PID 4056 wrote to memory of 3084	4056	e3371e0d650405ac74532bc9a0dc8cf4.exe	e3371e0d650405ac74532bc9a0dc8cf4.exe
PID 4056 wrote to memory of 3084	4056	e3371e0d650405ac74532bc9a0dc8cf4.exe	e3371e0d650405ac74532bc9a0dc8cf4.exe
PID 4056 wrote to memory of 3084	4056	e3371e0d650405ac74532bc9a0dc8cf4.exe	e3371e0d650405ac74532bc9a0dc8cf4.exe
PID 4056 wrote to memory of 3084	4056	e3371e0d650405ac74532bc9a0dc8cf4.exe	e3371e0d650405ac74532bc9a0dc8cf4.exe
PID 4056 wrote to memory of 3084	4056	e3371e0d650405ac74532bc9a0dc8cf4.exe	e3371e0d650405ac74532bc9a0dc8cf4.exe
PID 4056 wrote to memory of 3084	4056	e3371e0d650405ac74532bc9a0dc8cf4.exe	e3371e0d650405ac74532bc9a0dc8cf4.exe
PID 4056 wrote to memory of 3084	4056	e3371e0d650405ac74532bc9a0dc8cf4.exe	e3371e0d650405ac74532bc9a0dc8cf4.exe
PID 4056 wrote to memory of 3084	4056	e3371e0d650405ac74532bc9a0dc8cf4.exe	e3371e0d650405ac74532bc9a0dc8cf4.exe
PID 4056 wrote to memory of 3084	4056	e3371e0d650405ac74532bc9a0dc8cf4.exe	e3371e0d650405ac74532bc9a0dc8cf4.exe
PID 4056 wrote to memory of 3084	4056	e3371e0d650405ac74532bc9a0dc8cf4.exe	e3371e0d650405ac74532bc9a0dc8cf4.exe
PID 3084 wrote to memory of 4012	3084	e3371e0d650405ac74532bc9a0dc8cf4.exe	cmd.exe
PID 3084 wrote to memory of 4012	3084	e3371e0d650405ac74532bc9a0dc8cf4.exe	cmd.exe
PID 3084 wrote to memory of 4012	3084	e3371e0d650405ac74532bc9a0dc8cf4.exe	cmd.exe
PID 3084 wrote to memory of 3412	3084	e3371e0d650405ac74532bc9a0dc8cf4.exe	svchost.exe
PID 3084 wrote to memory of 3412	3084	e3371e0d650405ac74532bc9a0dc8cf4.exe	svchost.exe
PID 3084 wrote to memory of 3412	3084	e3371e0d650405ac74532bc9a0dc8cf4.exe	svchost.exe
PID 4012 wrote to memory of 2612	4012	cmd.exe	reg.exe
PID 4012 wrote to memory of 2612	4012	cmd.exe	reg.exe
PID 4012 wrote to memory of 2612	4012	cmd.exe	reg.exe
PID 3412 wrote to memory of 3948	3412	svchost.exe	svchost.exe
PID 3412 wrote to memory of 3948	3412	svchost.exe	svchost.exe
PID 3412 wrote to memory of 3948	3412	svchost.exe	svchost.exe
PID 3412 wrote to memory of 3948	3412	svchost.exe	svchost.exe
PID 3412 wrote to memory of 3948	3412	svchost.exe	svchost.exe
PID 3412 wrote to memory of 3948	3412	svchost.exe	svchost.exe
PID 3412 wrote to memory of 3948	3412	svchost.exe	svchost.exe
PID 3412 wrote to memory of 3948	3412	svchost.exe	svchost.exe
PID 3412 wrote to memory of 3948	3412	svchost.exe	svchost.exe
PID 3412 wrote to memory of 3948	3412	svchost.exe	svchost.exe
PID 3948 wrote to memory of 1240	3948	svchost.exe	cmd.exe
PID 3948 wrote to memory of 1240	3948	svchost.exe	cmd.exe
PID 3948 wrote to memory of 1240	3948	svchost.exe	cmd.exe
PID 3948 wrote to memory of 1240	3948	svchost.exe	cmd.exe
PID 3948 wrote to memory of 1240	3948	svchost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e3371e0d650405ac74532bc9a0dc8cf4.exe
"C:\Users\Admin\AppData\Local\Temp\e3371e0d650405ac74532bc9a0dc8cf4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056

C:\Users\Admin\AppData\Local\Temp\e3371e0d650405ac74532bc9a0dc8cf4.exe
C:\Users\Admin\AppData\Local\Temp\e3371e0d650405ac74532bc9a0dc8cf4.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
4⤵
PID:2612

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:1240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.exe
MD5
e3371e0d650405ac74532bc9a0dc8cf4

SHA1
79f6616b9fba88c18b0d435fae691c8c98a4f1cf

SHA256
dd5107d7cc5b86ef5a650ea6e01b662066c34072859272fa886379e304e7df43

SHA512
ebcc377484c889df78c4164b0267296d7179a9cf1e63f21deb45d1fa92fcd0daff603e4de5457494c6cf2cea353be7151343cea87b2600f85cdddbf20258b223

Download Submit
C:\ProgramData\svchost.exe
MD5
e3371e0d650405ac74532bc9a0dc8cf4

SHA1
79f6616b9fba88c18b0d435fae691c8c98a4f1cf

SHA256
dd5107d7cc5b86ef5a650ea6e01b662066c34072859272fa886379e304e7df43

SHA512
ebcc377484c889df78c4164b0267296d7179a9cf1e63f21deb45d1fa92fcd0daff603e4de5457494c6cf2cea353be7151343cea87b2600f85cdddbf20258b223

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
e3371e0d650405ac74532bc9a0dc8cf4

SHA1
79f6616b9fba88c18b0d435fae691c8c98a4f1cf

SHA256
dd5107d7cc5b86ef5a650ea6e01b662066c34072859272fa886379e304e7df43

SHA512
ebcc377484c889df78c4164b0267296d7179a9cf1e63f21deb45d1fa92fcd0daff603e4de5457494c6cf2cea353be7151343cea87b2600f85cdddbf20258b223

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
e3371e0d650405ac74532bc9a0dc8cf4

SHA1
79f6616b9fba88c18b0d435fae691c8c98a4f1cf

SHA256
dd5107d7cc5b86ef5a650ea6e01b662066c34072859272fa886379e304e7df43

SHA512
ebcc377484c889df78c4164b0267296d7179a9cf1e63f21deb45d1fa92fcd0daff603e4de5457494c6cf2cea353be7151343cea87b2600f85cdddbf20258b223

Download Submit
memory/1240-155-0x0000000000000000-mapping.dmp

Download
memory/2612-139-0x0000000000000000-mapping.dmp

Download
memory/3084-129-0x0000000000405E28-mapping.dmp

Download
memory/3084-128-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3084-130-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3412-141-0x0000000005400000-0x00000000058FE000-memory.dmp

Filesize
5.0MB

Download
memory/3412-154-0x0000000005400000-0x00000000058FE000-memory.dmp

Filesize
5.0MB

Download
memory/3412-132-0x0000000000000000-mapping.dmp

Download
memory/3948-151-0x0000000000405E28-mapping.dmp

Download
memory/4012-131-0x0000000000000000-mapping.dmp

Download
memory/4056-120-0x0000000004D60000-0x0000000004DAE000-memory.dmp

Filesize
312KB

Download
memory/4056-122-0x0000000006710000-0x0000000006711000-memory.dmp

Filesize
4KB

Download
memory/4056-119-0x0000000004BE0000-0x00000000050DE000-memory.dmp

Filesize
5.0MB

Download
memory/4056-121-0x0000000006660000-0x0000000006661000-memory.dmp

Filesize
4KB

Download
memory/4056-118-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/4056-117-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/4056-114-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/4056-127-0x0000000007010000-0x0000000007076000-memory.dmp

Filesize
408KB

Download
memory/4056-116-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing