warzonerat | 401bce69b94fd198482a5e4c760570afd0e6b85e64871894a4796acd5aeedd48

General

Target

a4596b039ec21394b6f5a7032f9b4b50.exe
Size

383KB
MD5

a4596b039ec21394b6f5a7032f9b4b50
SHA1

15604020db19962ef579ecde885f2516a48c4b99
SHA256

401bce69b94fd198482a5e4c760570afd0e6b85e64871894a4796acd5aeedd48
SHA512

877dab806cee2cb874c482f3c0f3240d4423ff1446371a4318f37831845f7fac6de395a301505f587d3dc287f2c193fa102c43c90202999087c6beddf98ef9af

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Family

warzonerat

C2

byx.z86.ru:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

296 svchost.exe
1468 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

a4596b039ec21394b6f5a7032f9b4b50.exesvchost.exe

pid process

1084 a4596b039ec21394b6f5a7032f9b4b50.exe
296 svchost.exe

pid	process
296	svchost.exe
1468	svchost.exe

pid	process
1084	a4596b039ec21394b6f5a7032f9b4b50.exe
296	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a4596b039ec21394b6f5a7032f9b4b50.exesvchost.exe

description	pid	process	target process
PID 2000 set thread context of 1084	2000	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 296 set thread context of 1468	296	svchost.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

a4596b039ec21394b6f5a7032f9b4b50.exesvchost.exe

pid	process
2000	a4596b039ec21394b6f5a7032f9b4b50.exe
2000	a4596b039ec21394b6f5a7032f9b4b50.exe
2000	a4596b039ec21394b6f5a7032f9b4b50.exe
2000	a4596b039ec21394b6f5a7032f9b4b50.exe
2000	a4596b039ec21394b6f5a7032f9b4b50.exe
2000	a4596b039ec21394b6f5a7032f9b4b50.exe
296	svchost.exe
296	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a4596b039ec21394b6f5a7032f9b4b50.exesvchost.exe

description pid process

Token: SeDebugPrivilege 2000 a4596b039ec21394b6f5a7032f9b4b50.exe
Token: SeDebugPrivilege 296 svchost.exe

description	pid	process
Token: SeDebugPrivilege	2000	a4596b039ec21394b6f5a7032f9b4b50.exe
Token: SeDebugPrivilege	296	svchost.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

a4596b039ec21394b6f5a7032f9b4b50.exea4596b039ec21394b6f5a7032f9b4b50.execmd.exesvchost.exesvchost.exe

description	pid	process	target process
PID 2000 wrote to memory of 1780	2000	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 2000 wrote to memory of 1780	2000	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 2000 wrote to memory of 1780	2000	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 2000 wrote to memory of 1780	2000	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 2000 wrote to memory of 1084	2000	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 2000 wrote to memory of 1084	2000	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 2000 wrote to memory of 1084	2000	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 2000 wrote to memory of 1084	2000	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 2000 wrote to memory of 1084	2000	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 2000 wrote to memory of 1084	2000	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 2000 wrote to memory of 1084	2000	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 2000 wrote to memory of 1084	2000	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 2000 wrote to memory of 1084	2000	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 2000 wrote to memory of 1084	2000	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 2000 wrote to memory of 1084	2000	a4596b039ec21394b6f5a7032f9b4b50.exe	a4596b039ec21394b6f5a7032f9b4b50.exe
PID 1084 wrote to memory of 396	1084	a4596b039ec21394b6f5a7032f9b4b50.exe	cmd.exe
PID 1084 wrote to memory of 396	1084	a4596b039ec21394b6f5a7032f9b4b50.exe	cmd.exe
PID 1084 wrote to memory of 396	1084	a4596b039ec21394b6f5a7032f9b4b50.exe	cmd.exe
PID 1084 wrote to memory of 396	1084	a4596b039ec21394b6f5a7032f9b4b50.exe	cmd.exe
PID 1084 wrote to memory of 296	1084	a4596b039ec21394b6f5a7032f9b4b50.exe	svchost.exe
PID 1084 wrote to memory of 296	1084	a4596b039ec21394b6f5a7032f9b4b50.exe	svchost.exe
PID 1084 wrote to memory of 296	1084	a4596b039ec21394b6f5a7032f9b4b50.exe	svchost.exe
PID 1084 wrote to memory of 296	1084	a4596b039ec21394b6f5a7032f9b4b50.exe	svchost.exe
PID 396 wrote to memory of 744	396	cmd.exe	reg.exe
PID 396 wrote to memory of 744	396	cmd.exe	reg.exe
PID 396 wrote to memory of 744	396	cmd.exe	reg.exe
PID 396 wrote to memory of 744	396	cmd.exe	reg.exe
PID 296 wrote to memory of 1468	296	svchost.exe	svchost.exe
PID 296 wrote to memory of 1468	296	svchost.exe	svchost.exe
PID 296 wrote to memory of 1468	296	svchost.exe	svchost.exe
PID 296 wrote to memory of 1468	296	svchost.exe	svchost.exe
PID 296 wrote to memory of 1468	296	svchost.exe	svchost.exe
PID 296 wrote to memory of 1468	296	svchost.exe	svchost.exe
PID 296 wrote to memory of 1468	296	svchost.exe	svchost.exe
PID 296 wrote to memory of 1468	296	svchost.exe	svchost.exe
PID 296 wrote to memory of 1468	296	svchost.exe	svchost.exe
PID 296 wrote to memory of 1468	296	svchost.exe	svchost.exe
PID 296 wrote to memory of 1468	296	svchost.exe	svchost.exe
PID 1468 wrote to memory of 984	1468	svchost.exe	cmd.exe
PID 1468 wrote to memory of 984	1468	svchost.exe	cmd.exe
PID 1468 wrote to memory of 984	1468	svchost.exe	cmd.exe
PID 1468 wrote to memory of 984	1468	svchost.exe	cmd.exe
PID 1468 wrote to memory of 984	1468	svchost.exe	cmd.exe
PID 1468 wrote to memory of 984	1468	svchost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\a4596b039ec21394b6f5a7032f9b4b50.exe
"C:\Users\Admin\AppData\Local\Temp\a4596b039ec21394b6f5a7032f9b4b50.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\a4596b039ec21394b6f5a7032f9b4b50.exe
C:\Users\Admin\AppData\Local\Temp\a4596b039ec21394b6f5a7032f9b4b50.exe
2⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\a4596b039ec21394b6f5a7032f9b4b50.exe
C:\Users\Admin\AppData\Local\Temp\a4596b039ec21394b6f5a7032f9b4b50.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\svchost.exe"
4⤵
PID:744

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:296

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.exe
MD5
a4596b039ec21394b6f5a7032f9b4b50

SHA1
15604020db19962ef579ecde885f2516a48c4b99

SHA256
401bce69b94fd198482a5e4c760570afd0e6b85e64871894a4796acd5aeedd48

SHA512
877dab806cee2cb874c482f3c0f3240d4423ff1446371a4318f37831845f7fac6de395a301505f587d3dc287f2c193fa102c43c90202999087c6beddf98ef9af

Download Submit
C:\ProgramData\svchost.exe
MD5
a4596b039ec21394b6f5a7032f9b4b50

SHA1
15604020db19962ef579ecde885f2516a48c4b99

SHA256
401bce69b94fd198482a5e4c760570afd0e6b85e64871894a4796acd5aeedd48

SHA512
877dab806cee2cb874c482f3c0f3240d4423ff1446371a4318f37831845f7fac6de395a301505f587d3dc287f2c193fa102c43c90202999087c6beddf98ef9af

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
a4596b039ec21394b6f5a7032f9b4b50

SHA1
15604020db19962ef579ecde885f2516a48c4b99

SHA256
401bce69b94fd198482a5e4c760570afd0e6b85e64871894a4796acd5aeedd48

SHA512
877dab806cee2cb874c482f3c0f3240d4423ff1446371a4318f37831845f7fac6de395a301505f587d3dc287f2c193fa102c43c90202999087c6beddf98ef9af

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
a4596b039ec21394b6f5a7032f9b4b50

SHA1
15604020db19962ef579ecde885f2516a48c4b99

SHA256
401bce69b94fd198482a5e4c760570afd0e6b85e64871894a4796acd5aeedd48

SHA512
877dab806cee2cb874c482f3c0f3240d4423ff1446371a4318f37831845f7fac6de395a301505f587d3dc287f2c193fa102c43c90202999087c6beddf98ef9af

Download Submit
\ProgramData\svchost.exe
MD5
a4596b039ec21394b6f5a7032f9b4b50

SHA1
15604020db19962ef579ecde885f2516a48c4b99

SHA256
401bce69b94fd198482a5e4c760570afd0e6b85e64871894a4796acd5aeedd48

SHA512
877dab806cee2cb874c482f3c0f3240d4423ff1446371a4318f37831845f7fac6de395a301505f587d3dc287f2c193fa102c43c90202999087c6beddf98ef9af

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
a4596b039ec21394b6f5a7032f9b4b50

SHA1
15604020db19962ef579ecde885f2516a48c4b99

SHA256
401bce69b94fd198482a5e4c760570afd0e6b85e64871894a4796acd5aeedd48

SHA512
877dab806cee2cb874c482f3c0f3240d4423ff1446371a4318f37831845f7fac6de395a301505f587d3dc287f2c193fa102c43c90202999087c6beddf98ef9af

Download Submit
memory/296-81-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/296-75-0x0000000000000000-mapping.dmp

Download
memory/296-78-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/396-73-0x0000000000000000-mapping.dmp

Download
memory/744-80-0x0000000000000000-mapping.dmp

Download
memory/984-96-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/984-95-0x0000000000000000-mapping.dmp

Download
memory/1084-72-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1084-71-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/1084-69-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1084-70-0x0000000000405E28-mapping.dmp

Download
memory/1468-93-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1468-90-0x0000000000405E28-mapping.dmp

Download
memory/2000-63-0x0000000000720000-0x0000000000769000-memory.dmp

Filesize
292KB

Download
memory/2000-62-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/2000-68-0x0000000004C80000-0x0000000004CDD000-memory.dmp

Filesize
372KB

Download
memory/2000-60-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads