warzonerat | e150f981d43106895ce64ebce7b41ae17b0eed49baa4cfc0d8d09c98dd208e8f

General

Target

e1c3891695a70f6cecaa417acc69bb75.exe
Size

669KB
MD5

e1c3891695a70f6cecaa417acc69bb75
SHA1

794aebe0e020616346692c17329df1f406153c51
SHA256

e150f981d43106895ce64ebce7b41ae17b0eed49baa4cfc0d8d09c98dd208e8f
SHA512

839239a3dda5c6c394d4d352bc2e27a0601ac052b440fb68a8c7c5c55dffd960c718e48ec1f44adc24d1889f58e3a14339ae28fc3ece54d84385feb6c8442e8f

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

dfdgdsasedw.ydns.eu:34566

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Executes dropped EXE 2 IoCs

Processes:

images.exeimages.exe

pid process

592 images.exe
1884 images.exe
Loads dropped DLL 2 IoCs

Processes:

e1c3891695a70f6cecaa417acc69bb75.exeimages.exe

pid process

1648 e1c3891695a70f6cecaa417acc69bb75.exe
592 images.exe

pid	process
592	images.exe
1884	images.exe

pid	process
1648	e1c3891695a70f6cecaa417acc69bb75.exe
592	images.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e1c3891695a70f6cecaa417acc69bb75.exeimages.exe

description	pid	process	target process
PID 1996 set thread context of 1648	1996	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 592 set thread context of 1884	592	images.exe	images.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

e1c3891695a70f6cecaa417acc69bb75.exeimages.exe

pid	process
1996	e1c3891695a70f6cecaa417acc69bb75.exe
1996	e1c3891695a70f6cecaa417acc69bb75.exe
1996	e1c3891695a70f6cecaa417acc69bb75.exe
1996	e1c3891695a70f6cecaa417acc69bb75.exe
1996	e1c3891695a70f6cecaa417acc69bb75.exe
1996	e1c3891695a70f6cecaa417acc69bb75.exe
592	images.exe
592	images.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e1c3891695a70f6cecaa417acc69bb75.exeimages.exe

description pid process

Token: SeDebugPrivilege 1996 e1c3891695a70f6cecaa417acc69bb75.exe
Token: SeDebugPrivilege 592 images.exe

description	pid	process
Token: SeDebugPrivilege	1996	e1c3891695a70f6cecaa417acc69bb75.exe
Token: SeDebugPrivilege	592	images.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

e1c3891695a70f6cecaa417acc69bb75.exee1c3891695a70f6cecaa417acc69bb75.execmd.exeimages.exeimages.exe

description	pid	process	target process
PID 1996 wrote to memory of 1644	1996	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 1996 wrote to memory of 1644	1996	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 1996 wrote to memory of 1644	1996	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 1996 wrote to memory of 1644	1996	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 1996 wrote to memory of 1648	1996	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 1996 wrote to memory of 1648	1996	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 1996 wrote to memory of 1648	1996	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 1996 wrote to memory of 1648	1996	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 1996 wrote to memory of 1648	1996	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 1996 wrote to memory of 1648	1996	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 1996 wrote to memory of 1648	1996	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 1996 wrote to memory of 1648	1996	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 1996 wrote to memory of 1648	1996	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 1996 wrote to memory of 1648	1996	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 1996 wrote to memory of 1648	1996	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 1648 wrote to memory of 540	1648	e1c3891695a70f6cecaa417acc69bb75.exe	cmd.exe
PID 1648 wrote to memory of 540	1648	e1c3891695a70f6cecaa417acc69bb75.exe	cmd.exe
PID 1648 wrote to memory of 540	1648	e1c3891695a70f6cecaa417acc69bb75.exe	cmd.exe
PID 1648 wrote to memory of 540	1648	e1c3891695a70f6cecaa417acc69bb75.exe	cmd.exe
PID 1648 wrote to memory of 592	1648	e1c3891695a70f6cecaa417acc69bb75.exe	images.exe
PID 1648 wrote to memory of 592	1648	e1c3891695a70f6cecaa417acc69bb75.exe	images.exe
PID 1648 wrote to memory of 592	1648	e1c3891695a70f6cecaa417acc69bb75.exe	images.exe
PID 1648 wrote to memory of 592	1648	e1c3891695a70f6cecaa417acc69bb75.exe	images.exe
PID 540 wrote to memory of 816	540	cmd.exe	reg.exe
PID 540 wrote to memory of 816	540	cmd.exe	reg.exe
PID 540 wrote to memory of 816	540	cmd.exe	reg.exe
PID 540 wrote to memory of 816	540	cmd.exe	reg.exe
PID 592 wrote to memory of 1884	592	images.exe	images.exe
PID 592 wrote to memory of 1884	592	images.exe	images.exe
PID 592 wrote to memory of 1884	592	images.exe	images.exe
PID 592 wrote to memory of 1884	592	images.exe	images.exe
PID 592 wrote to memory of 1884	592	images.exe	images.exe
PID 592 wrote to memory of 1884	592	images.exe	images.exe
PID 592 wrote to memory of 1884	592	images.exe	images.exe
PID 592 wrote to memory of 1884	592	images.exe	images.exe
PID 592 wrote to memory of 1884	592	images.exe	images.exe
PID 592 wrote to memory of 1884	592	images.exe	images.exe
PID 592 wrote to memory of 1884	592	images.exe	images.exe
PID 1884 wrote to memory of 1052	1884	images.exe	cmd.exe
PID 1884 wrote to memory of 1052	1884	images.exe	cmd.exe
PID 1884 wrote to memory of 1052	1884	images.exe	cmd.exe
PID 1884 wrote to memory of 1052	1884	images.exe	cmd.exe
PID 1884 wrote to memory of 1052	1884	images.exe	cmd.exe
PID 1884 wrote to memory of 1052	1884	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e1c3891695a70f6cecaa417acc69bb75.exe
"C:\Users\Admin\AppData\Local\Temp\e1c3891695a70f6cecaa417acc69bb75.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\e1c3891695a70f6cecaa417acc69bb75.exe
C:\Users\Admin\AppData\Local\Temp\e1c3891695a70f6cecaa417acc69bb75.exe
2⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\e1c3891695a70f6cecaa417acc69bb75.exe
C:\Users\Admin\AppData\Local\Temp\e1c3891695a70f6cecaa417acc69bb75.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
4⤵
PID:816

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592

C:\Users\Admin\AppData\Local\Temp\images.exe
C:\Users\Admin\AppData\Local\Temp\images.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:1052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
MD5
e1c3891695a70f6cecaa417acc69bb75

SHA1
794aebe0e020616346692c17329df1f406153c51

SHA256
e150f981d43106895ce64ebce7b41ae17b0eed49baa4cfc0d8d09c98dd208e8f

SHA512
839239a3dda5c6c394d4d352bc2e27a0601ac052b440fb68a8c7c5c55dffd960c718e48ec1f44adc24d1889f58e3a14339ae28fc3ece54d84385feb6c8442e8f

Download Submit
C:\ProgramData\images.exe
MD5
e1c3891695a70f6cecaa417acc69bb75

SHA1
794aebe0e020616346692c17329df1f406153c51

SHA256
e150f981d43106895ce64ebce7b41ae17b0eed49baa4cfc0d8d09c98dd208e8f

SHA512
839239a3dda5c6c394d4d352bc2e27a0601ac052b440fb68a8c7c5c55dffd960c718e48ec1f44adc24d1889f58e3a14339ae28fc3ece54d84385feb6c8442e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\images.exe
MD5
e1c3891695a70f6cecaa417acc69bb75

SHA1
794aebe0e020616346692c17329df1f406153c51

SHA256
e150f981d43106895ce64ebce7b41ae17b0eed49baa4cfc0d8d09c98dd208e8f

SHA512
839239a3dda5c6c394d4d352bc2e27a0601ac052b440fb68a8c7c5c55dffd960c718e48ec1f44adc24d1889f58e3a14339ae28fc3ece54d84385feb6c8442e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\images.exe
MD5
e1c3891695a70f6cecaa417acc69bb75

SHA1
794aebe0e020616346692c17329df1f406153c51

SHA256
e150f981d43106895ce64ebce7b41ae17b0eed49baa4cfc0d8d09c98dd208e8f

SHA512
839239a3dda5c6c394d4d352bc2e27a0601ac052b440fb68a8c7c5c55dffd960c718e48ec1f44adc24d1889f58e3a14339ae28fc3ece54d84385feb6c8442e8f

Download Submit
\ProgramData\images.exe
MD5
e1c3891695a70f6cecaa417acc69bb75

SHA1
794aebe0e020616346692c17329df1f406153c51

SHA256
e150f981d43106895ce64ebce7b41ae17b0eed49baa4cfc0d8d09c98dd208e8f

SHA512
839239a3dda5c6c394d4d352bc2e27a0601ac052b440fb68a8c7c5c55dffd960c718e48ec1f44adc24d1889f58e3a14339ae28fc3ece54d84385feb6c8442e8f

Download Submit
\Users\Admin\AppData\Local\Temp\images.exe
MD5
e1c3891695a70f6cecaa417acc69bb75

SHA1
794aebe0e020616346692c17329df1f406153c51

SHA256
e150f981d43106895ce64ebce7b41ae17b0eed49baa4cfc0d8d09c98dd208e8f

SHA512
839239a3dda5c6c394d4d352bc2e27a0601ac052b440fb68a8c7c5c55dffd960c718e48ec1f44adc24d1889f58e3a14339ae28fc3ece54d84385feb6c8442e8f

Download Submit
memory/540-73-0x0000000000000000-mapping.dmp

Download
memory/592-93-0x0000000004D35000-0x0000000004D46000-memory.dmp

Filesize
68KB

Download
memory/592-78-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/592-81-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/592-75-0x0000000000000000-mapping.dmp

Download
memory/816-80-0x0000000000000000-mapping.dmp

Download
memory/1052-96-0x0000000000000000-mapping.dmp

Download
memory/1648-70-0x0000000075D41000-0x0000000075D43000-memory.dmp

Filesize
8KB

Download
memory/1648-72-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1648-69-0x0000000000405E28-mapping.dmp

Download
memory/1648-68-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1884-90-0x0000000000405E28-mapping.dmp

Download
memory/1884-94-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1996-71-0x00000000003D5000-0x00000000003E6000-memory.dmp

Filesize
68KB

Download
memory/1996-59-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/1996-67-0x0000000005B10000-0x0000000005B6F000-memory.dmp

Filesize
380KB

Download
memory/1996-62-0x0000000000460000-0x00000000004AA000-memory.dmp

Filesize
296KB

Download
memory/1996-61-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads