warzonerat | e150f981d43106895ce64ebce7b41ae17b0eed49baa4cfc0d8d09c98dd208e8f

General

Target

e1c3891695a70f6cecaa417acc69bb75.exe
Size

669KB
MD5

e1c3891695a70f6cecaa417acc69bb75
SHA1

794aebe0e020616346692c17329df1f406153c51
SHA256

e150f981d43106895ce64ebce7b41ae17b0eed49baa4cfc0d8d09c98dd208e8f
SHA512

839239a3dda5c6c394d4d352bc2e27a0601ac052b440fb68a8c7c5c55dffd960c718e48ec1f44adc24d1889f58e3a14339ae28fc3ece54d84385feb6c8442e8f

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

dfdgdsasedw.ydns.eu:34566

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Executes dropped EXE 2 IoCs

Processes:

images.exeimages.exe

pid process

1172 images.exe
2736 images.exe

pid	process
1172	images.exe
2736	images.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e1c3891695a70f6cecaa417acc69bb75.exeimages.exe

description	pid	process	target process
PID 2388 set thread context of 3292	2388	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 1172 set thread context of 2736	1172	images.exe	images.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e1c3891695a70f6cecaa417acc69bb75.exeimages.exe

pid process

2388 e1c3891695a70f6cecaa417acc69bb75.exe
2388 e1c3891695a70f6cecaa417acc69bb75.exe
1172 images.exe
1172 images.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e1c3891695a70f6cecaa417acc69bb75.exeimages.exe

description pid process

Token: SeDebugPrivilege 2388 e1c3891695a70f6cecaa417acc69bb75.exe
Token: SeDebugPrivilege 1172 images.exe

pid	process
2388	e1c3891695a70f6cecaa417acc69bb75.exe
2388	e1c3891695a70f6cecaa417acc69bb75.exe
1172	images.exe
1172	images.exe

description	pid	process
Token: SeDebugPrivilege	2388	e1c3891695a70f6cecaa417acc69bb75.exe
Token: SeDebugPrivilege	1172	images.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

e1c3891695a70f6cecaa417acc69bb75.exee1c3891695a70f6cecaa417acc69bb75.execmd.exeimages.exeimages.exe

description	pid	process	target process
PID 2388 wrote to memory of 3292	2388	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 2388 wrote to memory of 3292	2388	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 2388 wrote to memory of 3292	2388	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 2388 wrote to memory of 3292	2388	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 2388 wrote to memory of 3292	2388	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 2388 wrote to memory of 3292	2388	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 2388 wrote to memory of 3292	2388	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 2388 wrote to memory of 3292	2388	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 2388 wrote to memory of 3292	2388	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 2388 wrote to memory of 3292	2388	e1c3891695a70f6cecaa417acc69bb75.exe	e1c3891695a70f6cecaa417acc69bb75.exe
PID 3292 wrote to memory of 2284	3292	e1c3891695a70f6cecaa417acc69bb75.exe	cmd.exe
PID 3292 wrote to memory of 2284	3292	e1c3891695a70f6cecaa417acc69bb75.exe	cmd.exe
PID 3292 wrote to memory of 2284	3292	e1c3891695a70f6cecaa417acc69bb75.exe	cmd.exe
PID 3292 wrote to memory of 1172	3292	e1c3891695a70f6cecaa417acc69bb75.exe	images.exe
PID 3292 wrote to memory of 1172	3292	e1c3891695a70f6cecaa417acc69bb75.exe	images.exe
PID 3292 wrote to memory of 1172	3292	e1c3891695a70f6cecaa417acc69bb75.exe	images.exe
PID 2284 wrote to memory of 3780	2284	cmd.exe	reg.exe
PID 2284 wrote to memory of 3780	2284	cmd.exe	reg.exe
PID 2284 wrote to memory of 3780	2284	cmd.exe	reg.exe
PID 1172 wrote to memory of 2736	1172	images.exe	images.exe
PID 1172 wrote to memory of 2736	1172	images.exe	images.exe
PID 1172 wrote to memory of 2736	1172	images.exe	images.exe
PID 1172 wrote to memory of 2736	1172	images.exe	images.exe
PID 1172 wrote to memory of 2736	1172	images.exe	images.exe
PID 1172 wrote to memory of 2736	1172	images.exe	images.exe
PID 1172 wrote to memory of 2736	1172	images.exe	images.exe
PID 1172 wrote to memory of 2736	1172	images.exe	images.exe
PID 1172 wrote to memory of 2736	1172	images.exe	images.exe
PID 1172 wrote to memory of 2736	1172	images.exe	images.exe
PID 2736 wrote to memory of 3824	2736	images.exe	cmd.exe
PID 2736 wrote to memory of 3824	2736	images.exe	cmd.exe
PID 2736 wrote to memory of 3824	2736	images.exe	cmd.exe
PID 2736 wrote to memory of 3824	2736	images.exe	cmd.exe
PID 2736 wrote to memory of 3824	2736	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e1c3891695a70f6cecaa417acc69bb75.exe
"C:\Users\Admin\AppData\Local\Temp\e1c3891695a70f6cecaa417acc69bb75.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388

C:\Users\Admin\AppData\Local\Temp\e1c3891695a70f6cecaa417acc69bb75.exe
C:\Users\Admin\AppData\Local\Temp\e1c3891695a70f6cecaa417acc69bb75.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3292

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
4⤵
PID:3780

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172

C:\Users\Admin\AppData\Local\Temp\images.exe
C:\Users\Admin\AppData\Local\Temp\images.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:3824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
MD5
e1c3891695a70f6cecaa417acc69bb75

SHA1
794aebe0e020616346692c17329df1f406153c51

SHA256
e150f981d43106895ce64ebce7b41ae17b0eed49baa4cfc0d8d09c98dd208e8f

SHA512
839239a3dda5c6c394d4d352bc2e27a0601ac052b440fb68a8c7c5c55dffd960c718e48ec1f44adc24d1889f58e3a14339ae28fc3ece54d84385feb6c8442e8f

Download Submit
C:\ProgramData\images.exe
MD5
e1c3891695a70f6cecaa417acc69bb75

SHA1
794aebe0e020616346692c17329df1f406153c51

SHA256
e150f981d43106895ce64ebce7b41ae17b0eed49baa4cfc0d8d09c98dd208e8f

SHA512
839239a3dda5c6c394d4d352bc2e27a0601ac052b440fb68a8c7c5c55dffd960c718e48ec1f44adc24d1889f58e3a14339ae28fc3ece54d84385feb6c8442e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\images.exe
MD5
e1c3891695a70f6cecaa417acc69bb75

SHA1
794aebe0e020616346692c17329df1f406153c51

SHA256
e150f981d43106895ce64ebce7b41ae17b0eed49baa4cfc0d8d09c98dd208e8f

SHA512
839239a3dda5c6c394d4d352bc2e27a0601ac052b440fb68a8c7c5c55dffd960c718e48ec1f44adc24d1889f58e3a14339ae28fc3ece54d84385feb6c8442e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\images.exe
MD5
e1c3891695a70f6cecaa417acc69bb75

SHA1
794aebe0e020616346692c17329df1f406153c51

SHA256
e150f981d43106895ce64ebce7b41ae17b0eed49baa4cfc0d8d09c98dd208e8f

SHA512
839239a3dda5c6c394d4d352bc2e27a0601ac052b440fb68a8c7c5c55dffd960c718e48ec1f44adc24d1889f58e3a14339ae28fc3ece54d84385feb6c8442e8f

Download Submit
memory/1172-141-0x0000000005020000-0x000000000551E000-memory.dmp

Filesize
5.0MB

Download
memory/1172-132-0x0000000000000000-mapping.dmp

Download
memory/2284-131-0x0000000000000000-mapping.dmp

Download
memory/2388-120-0x0000000004F90000-0x0000000004FDA000-memory.dmp

Filesize
296KB

Download
memory/2388-118-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/2388-116-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/2388-117-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2388-127-0x00000000072C0000-0x000000000731F000-memory.dmp

Filesize
380KB

Download
memory/2388-122-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/2388-121-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download
memory/2388-114-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2388-119-0x0000000004CC0000-0x00000000051BE000-memory.dmp

Filesize
5.0MB

Download
memory/2736-151-0x0000000000405E28-mapping.dmp

Download
memory/2736-154-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3292-130-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3292-129-0x0000000000405E28-mapping.dmp

Download
memory/3292-128-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3780-138-0x0000000000000000-mapping.dmp

Download
memory/3824-155-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing